aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2018-01-04 02:52:14 -0800
committerArmin Kuster <akuster808@gmail.com>2018-10-15 12:50:46 -0700
commit59c43205f13c0e61b44eb42ffbf2af6cbfd3e6c0 (patch)
treef31fe9352b14cf0fea61f6e594e18e1885996739 /meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
parent1b5bafb1127c96f5d6c071c413d4339f625a9573 (diff)
downloadmeta-openembedded-contrib-59c43205f13c0e61b44eb42ffbf2af6cbfd3e6c0.tar.gz
meta-openembedded-contrib-59c43205f13c0e61b44eb42ffbf2af6cbfd3e6c0.tar.bz2
meta-openembedded-contrib-59c43205f13c0e61b44eb42ffbf2af6cbfd3e6c0.zip
iscsi-initiator-utils: CVE-2017-17840stable/rocko-nmut
Backport CVE patches from the github upstream: https://github.com/open-iscsi/open-iscsi commit as follows: e313bd648a4c8a9526421e270eb597a5de1e0c7f b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea be58eed849f5457bb49b79e94aa6a26971ba6deb 5504053cc08df38d8d85032fa1691e363dfcfb92 85f647c4300a888bb6cbc27f33138549cab617e3 a7a96131bd2ea342f6def0e46be514baf8037ae8 59ede2cf4eee8729a4221000a5d1ecdd312a31ac https://nvd.nist.gov/vuln/detail/CVE-2017-17840 A local attacker can cause the iscsiuio server to abort or potentially execute code by sending messages with incorrect lengths, which (due to lack of checking) can lead to buffer overflows, and result in aborts (with overflow checking enabled) or code execution. The process_iscsid_broadcast function in iscsiuio/src/unix/iscsid_ipc.c does not validate the payload length before a write operation Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> (cherry picked from commit fdd3c62df9f4cb4e263aca4ab426ae9f88b29912) Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch')
-rw-r--r--meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch135
1 files changed, 135 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
new file mode 100644
index 0000000000..2fd5c08a1c
--- /dev/null
+++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Check-for-root-peer-user-for-iscsiuio-IPC.patch
@@ -0,0 +1,135 @@
+From eb516ac5f9dddc80564f6becee08a0011e7aa58b Mon Sep 17 00:00:00 2001
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 15 Dec 2017 10:36:11 -0800
+Subject: [PATCH 1/7] Check for root peer user for iscsiuio IPC
+
+This fixes a possible vulnerability where a non-root
+process could connect with iscsiuio. Fouund by Qualsys.
+
+CVE: CVE-2017-17840
+
+Upstream-Status: Backport
+
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ iscsiuio/src/unix/Makefile.am | 3 ++-
+ iscsiuio/src/unix/iscsid_ipc.c | 47 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/iscsiuio/src/unix/Makefile.am b/iscsiuio/src/unix/Makefile.am
+index 71d5463..a989ef0 100644
+--- a/iscsiuio/src/unix/Makefile.am
++++ b/iscsiuio/src/unix/Makefile.am
+@@ -20,7 +20,8 @@ iscsiuio_SOURCES = build_date.c \
+ nic_utils.c \
+ packet.c \
+ iscsid_ipc.c \
+- ping.c
++ ping.c \
++ ${top_srcdir}/../utils/sysdeps/sysdeps.c
+
+ iscsiuio_CFLAGS = $(AM_CFLAGS) \
+ $(LIBNL_CFLAGS) \
+diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c
+index a2a59a8..08e49e5 100644
+--- a/iscsiuio/src/unix/iscsid_ipc.c
++++ b/iscsiuio/src/unix/iscsid_ipc.c
+@@ -37,6 +37,8 @@
+ *
+ */
+
++#define _GNU_SOURCE
++
+ #include <errno.h>
+ #include <pthread.h>
+ #include <signal.h>
+@@ -47,6 +49,8 @@
+ #include <sys/socket.h>
+ #include <sys/time.h>
+ #include <sys/un.h>
++#include <sys/types.h>
++#include <pwd.h>
+
+ #define PFX "iscsi_ipc "
+
+@@ -61,6 +65,7 @@
+ #include "iscsid_ipc.h"
+ #include "uip.h"
+ #include "uip_mgmt_ipc.h"
++#include "sysdeps.h"
+
+ #include "logger.h"
+ #include "uip.h"
+@@ -102,6 +107,7 @@ struct iface_rec_decode {
+ uint16_t mtu;
+ };
+
++#define PEERUSER_MAX 64
+
+ /******************************************************************************
+ * iscsid_ipc Constants
+@@ -1029,6 +1035,40 @@ static void iscsid_loop_close(void *arg)
+ LOG_INFO(PFX "iSCSI daemon socket closed");
+ }
+
++/*
++ * check that the peer user is privilidged
++ *
++ * return 1 if peer is ok else 0
++ *
++ * XXX: this function is copied from iscsid_ipc.c and should be
++ * moved into a common library
++ */
++static int
++mgmt_peeruser(int sock, char *user)
++{
++ struct ucred peercred;
++ socklen_t so_len = sizeof(peercred);
++ struct passwd *pass;
++
++ errno = 0;
++ if (getsockopt(sock, SOL_SOCKET, SO_PEERCRED, &peercred,
++ &so_len) != 0 || so_len != sizeof(peercred)) {
++ /* We didn't get a valid credentials struct. */
++ LOG_ERR(PFX "peeruser_unux: error receiving credentials: %m");
++ return 0;
++ }
++
++ pass = getpwuid(peercred.uid);
++ if (pass == NULL) {
++ LOG_ERR(PFX "peeruser_unix: unknown local user with uid %d",
++ (int) peercred.uid);
++ return 0;
++ }
++
++ strlcpy(user, pass->pw_name, PEERUSER_MAX);
++ return 1;
++}
++
+ /**
+ * iscsid_loop() - This is the function which will process the broadcast
+ * messages from iscsid
+@@ -1038,6 +1078,7 @@ static void *iscsid_loop(void *arg)
+ {
+ int rc;
+ sigset_t set;
++ char user[PEERUSER_MAX];
+
+ pthread_cleanup_push(iscsid_loop_close, arg);
+
+@@ -1077,6 +1118,12 @@ static void *iscsid_loop(void *arg)
+ continue;
+ }
+
++ if (!mgmt_peeruser(iscsid_opts.fd, user) || strncmp(user, "root", PEERUSER_MAX)) {
++ close(s2);
++ LOG_ERR(PFX "Access error: non-administrative connection rejected");
++ break;
++ }
++
+ process_iscsid_broadcast(s2);
+ close(s2);
+ }
+--
+1.9.1
+