DivestOS/Patches/Linux_CVEs/CVE-2016-10044/ANY/0001.patch

From 22f6b4d34fcf039c63a94e7670e0da24f8575a5a Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Fri, 16 Sep 2016 00:31:22 +0200
Subject: aio: mark AIO pseudo-fs noexec

This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set.  Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.

I have tested the patch on my machine.

To test the behavior, compile and run this:

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sys/personality.h>
    #include <linux/aio_abi.h>
    #include <err.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/syscall.h>

    int main(void) {
        personality(READ_IMPLIES_EXEC);
        aio_context_t ctx = 0;
        if (syscall(__NR_io_setup, 1, &ctx))
            err(1, "io_setup");

        char cmd[1000];
        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
            (int)getpid());
        system(cmd);
        return 0;
    }

In the output, "rw-s" is good, "rwxs" is bad.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 fs/aio.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/aio.c b/fs/aio.c
index fb8e45b..4fe81d1 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -239,7 +239,12 @@ static struct dentry *aio_mount(struct file_system_type *fs_type,
 	static const struct dentry_operations ops = {
 		.d_dname	= simple_dname,
 	};
-	return mount_pseudo(fs_type, "aio:", NULL, &ops, AIO_RING_MAGIC);
+	struct dentry *root = mount_pseudo(fs_type, "aio:", NULL, &ops,
+					   AIO_RING_MAGIC);
+
+	if (!IS_ERR(root))
+		root->d_sb->s_iflags |= SB_I_NOEXEC;
+	return root;
 }
 
 /* aio_setup
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 22f6b4d34fcf039c63a94e7670e0da24f8575a5a Mon Sep 17 00:00:00 2001`
			`From: Jann Horn <jann@thejh.net>`
			`Date: Fri, 16 Sep 2016 00:31:22 +0200`
			`Subject: aio: mark AIO pseudo-fs noexec`

			`This ensures that do_mmap() won't implicitly make AIO memory mappings`
			`executable if the READ_IMPLIES_EXEC personality flag is set. Such`
			`behavior is problematic because the security_mmap_file LSM hook doesn't`
			`catch this case, potentially permitting an attacker to bypass a W^X`
			`policy enforced by SELinux.`

			`I have tested the patch on my machine.`

			`To test the behavior, compile and run this:`

			`#define _GNU_SOURCE`
			`#include <unistd.h>`
			`#include <sys/personality.h>`
			`#include <linux/aio_abi.h>`
			`#include <err.h>`
			`#include <stdlib.h>`
			`#include <stdio.h>`
			`#include <sys/syscall.h>`

			`int main(void) {`
			`personality(READ_IMPLIES_EXEC);`
			`aio_context_t ctx = 0;`
			`if (syscall(__NR_io_setup, 1, &ctx))`
			`err(1, "io_setup");`

			`char cmd[1000];`
			`sprintf(cmd, "cat /proc/%d/maps \| grep -F '/[aio]'",`
			`(int)getpid());`
			`system(cmd);`
			`return 0;`
			`}`

			`In the output, "rw-s" is good, "rwxs" is bad.`

			`Signed-off-by: Jann Horn <jann@thejh.net>`
			`Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>`
			`---`
			`fs/aio.c \| 7 ++++++-`
			`1 file changed, 6 insertions(+), 1 deletion(-)`

			`diff --git a/fs/aio.c b/fs/aio.c`
			`index fb8e45b..4fe81d1 100644`
			`--- a/fs/aio.c`
			`+++ b/fs/aio.c`
			`@@ -239,7 +239,12 @@ static struct dentry aio_mount(struct file_system_type fs_type,`
			`static const struct dentry_operations ops = {`
			`.d_dname = simple_dname,`
			`};`
			`- return mount_pseudo(fs_type, "aio:", NULL, &ops, AIO_RING_MAGIC);`
			`+ struct dentry *root = mount_pseudo(fs_type, "aio:", NULL, &ops,`
			`+ AIO_RING_MAGIC);`
			`+`
			`+ if (!IS_ERR(root))`
			`+ root->d_sb->s_iflags \|= SB_I_NOEXEC;`
			`+ return root;`
			`}`

			`/* aio_setup`
			`--`
			`cgit v1.1`