This adds symlink and hardlink restrictions to the Linux VFS.
Symlinks:
A long-standing class of security issues is the symlink-based
time-of-check-time-of-use race, most commonly seen in world-writable
directories like /tmp. The common method of exploitation of this flaw
is to cross privilege boundaries when following a given symlink (i.e. a
root process follows a symlink belonging to another user). For a likely
incomplete list of hundreds of examples across the years, please see:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
The solution is to permit symlinks to only be followed when outside
a sticky world-writable directory, or when the uid of the symlink and
follower match, or when the directory owner matches the symlink's owner.
Some pointers to the history of earlier discussion that I could find:
1996 Aug, Zygo Blaxell
http://marc.info/?l=bugtraq&m=87602167419830&w=2
1996 Oct, Andrew Tridgell
http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html
1997 Dec, Albert D Cahalan
http://lkml.org/lkml/1997/12/16/4
2005 Feb, Lorenzo Hernández García-Hierro
http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html
2010 May, Kees Cook
https://lkml.org/lkml/2010/5/30/144
Past objections and rebuttals could be summarized as:
- Violates POSIX.
- POSIX didn't consider this situation and it's not useful to follow
a broken specification at the cost of security.
- Might break unknown applications that use this feature.
- Applications that break because of the change are easy to spot and
fix. Applications that are vulnerable to symlink ToCToU by not having
the change aren't. Additionally, no applications have yet been found
that rely on this behavior.
- Applications should just use mkstemp() or O_CREATE|O_EXCL.
- True, but applications are not perfect, and new software is written
all the time that makes these mistakes; blocking this flaw at the
kernel is a single solution to the entire class of vulnerability.
- This should live in the core VFS.
- This should live in an LSM. (https://lkml.org/lkml/2010/5/31/135)
- This should live in an LSM.
- This should live in the core VFS. (https://lkml.org/lkml/2010/8/2/188)
Hardlinks:
On systems that have user-writable directories on the same partition
as system files, a long-standing class of security issues is the
hardlink-based time-of-check-time-of-use race, most commonly seen in
world-writable directories like /tmp. The common method of exploitation
of this flaw is to cross privilege boundaries when following a given
hardlink (i.e. a root process follows a hardlink created by another
user). Additionally, an issue exists where users can "pin" a potentially
vulnerable setuid/setgid file so that an administrator will not actually
upgrade a system fully.
The solution is to permit hardlinks to only be created when the user is
already the existing file's owner, or if they already have read/write
access to the existing file.
Many Linux users are surprised when they learn they can link to files
they have no access to, so this change appears to follow the doctrine
of "least surprise". Additionally, this change does not violate POSIX,
which states "the implementation may require that the calling process
has permission to access the existing file"[1].
This change is known to break some implementations of the "at" daemon,
though the version used by Fedora and Ubuntu has been fixed[2] for
a while. Otherwise, the change has been undisruptive while in use in
Ubuntu for the last 1.5 years.
[1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/linkat.html
[2] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf940a49eda3279
This patch is based on the patches in Openwall and grsecurity, along with
suggestions from Al Viro. I have added a sysctl to enable the protected
behavior, and documentation.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
sigh...
* opened files have non-NULL dentries and non-NULL inodes
* close_filp() needs current->files only if the file had been
in descriptor table.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* filp_close() needs non-NULL second argument only if it'd been in descriptor
table
* opened files have non-NULL dentries, TYVM
* ... and those dentries are positive - it's kinda hard to open a file that
doesn't exist.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
a) vfs_llseek() does *not* access userland pointers of any kind
b) neither does filp_close(), for that matter
c) ... nor filp_open()
d) vfs_read() does, but we do have a wrapper for that (kernel_read()),
so there's no need to reinvent it.
e) passing current->files to filp_close() on something that never
had been in descriptor table is pointless.
ISAGN: voodoo dolls to be used on voodoo programmers...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* ->lookup() never gets hit with . or ..
* dentry it gets is unhashed, so unless we had gone and hashed it ourselves, there's
no need to d_drop() the sucker.
* wrong name printed in one of the printks (NULL, in fact)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
One side effect - attempt to create a cross-device link on a read-only fs fails
with EROFS instead of EXDEV now. Makes more sense, POSIX allows, etc.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Note that applying umask can't affect their results. While
that affects errno in cases like
mknod("/no_such_directory/a", 030000)
yielding -EINVAL (due to impossible mode_t) instead of
-ENOENT (due to inexistent directory), IMO that makes a lot
more sense, POSIX allows to return either and any software
that relies on getting -ENOENT instead of -EINVAL in that
case deserves everything it gets.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
If we accidentally pass an incorrect bpp value to pixel_to_pat(),
it panics. This is pretty useless, as we generally have the various
console locks held at that point, so nothing will be displayed,
and there is no reason to make this a fatal event.
Let's WARN instead.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
LCD blink is observed during suspend/resume and blank/unblank
operations as backlight is ON during LCDC disable and enable.
So make sure to turn OFF backlight before disabling and turn
it ON after enabling.
Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
On recent kernels, Realtek codec parser tries to optimize the routing
aggressively and take the headphone output as primary at first. This
caused a regression on VAIO Z with ALC889, the silent output from the
speaker.
The problem seems that the speaker pin must be connected to the first
DAC (0x02) on this machine by some reason although the codec itself
advertises the flexible routing with any DACs.
This patch adds a fix-up for choosing the speaker pin as the primary
so that the right DAC is assigned on this device.
Reported-and-tested-by: Adam Williamson <awilliam@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Commit 15dede882e added support for
horizontal panning but accidentally computes the Y pan step value
incorrectly for NV12/21 and NV16/61 formats. Fix this.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
When FB_BLANK_UNLANK event occured, exynos mipi dsi regulators have to turn on.
Signed-off-by: Donghwa Lee <dh09.lee@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
As in specification software reset should be applied for several
cycles before bringing it out of reset. Without this patch
particularly during suspend and resume clock reset is not guaranteed
to happen.
Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Patch works around the below silicon errata:
During LCDC initialization, there is the potential for a FIFO
underflow condition to occur. A FIFO underflow condition
occurs when the input FIFO is completely empty and the LCDC
raster controller logic that drives data to the output pins
attempts to fetch data from the FIFO. When a FIFO underflow
condition occurs, incorrect data will be driven out on the
LCDC data pins.
Software should poll the FUF bit field in the LCD_STAT register
to check if an error condition has occurred or service the
interrupt if FUF_EN is enabled when FUF occurs. If the FUF bit
field has been set to 1, this will indicate an underflow
condition has occurred and then the software should execute a
reset of the LCDC via the LPSC.
This problem may occur if the LCDC FIFO threshold size
(LCDDMA_CTRL[TH_FIFO_READY]) is left at its default value after
reset. Increasing the FIFO threshold size will reduce or
eliminate underflows. Setting the threshold size to 256 double
words or larger is recommended.
Above issue is described in section 2.1.3 of silicon errata
http://www.ti.com/lit/er/sprz313e/sprz313e.pdf
Signed-off-by: Rajashekhara, Sudhakar <sudhakar.raj@ti.com>
Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Flicker/tearing effect is observed with current FB driver.
Issue is because of 2 active DMA channels ping ponging among them
along with usage of 2 DDR ping pong buffers in driver. Application
unaware of active DMA channel keeps updating frame being displayed,
this leads to tearing effect.
Below steps describes the issue:
1)Initially assume both buffers FB0 and FB1 are programmed for buffer-0.
2)On EOF0: Program FB0 for buffer-1, indicate(wake up) application
to fill up buffer-0. As FB1 is active and continues to DMA buffer-0
(which is being filled), leading to tearing/flickering issue.
3)On EOF1: Program FB1 for buffer-0, indicate(wake up) application to
fill up buffer-1. As FB0 is active and continues to DMA buffer-1(which
is being filled), leading to tearing/flickering issue.
4)On EOF0: Program FB0 for buffer-1, indicate(wake up) application to
fill up buffer-0. As FB1 is active and continues to DMA buffer-0(which is
being filled), leading to tearing/flickering issue.
...
Above steps depict that issue is because of 1 frame delay in frame
panned by application.
Patch fixes the issue by keeping track free DMA channel and configures
it in drivers PAN callback so that panned frame from application gets
displayed in next frame period.
Wiki below describes the issue in detail and it also has link to
application with which issue can be reproduced.
http://processors.wiki.ti.com/index.php/DA8xx_LCDC_Linux_FB_FAQs
Signed-off-by: Nellutla, Aditya <aditya.n@ti.com>
Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Writing '1' to particular bit of IRQENABLE_CLEAR register disables the
corresponding interrupt on revision 2 LCDC. This register was wrongly
configured to disable all previous enabled interrupts instead of
disabling only palette completion interrupt. Patch fixes it by clearing
only palette completion interrupt bit.
Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Pull embedded i2c changes from Wolfram Sang:
"Changes for the "embedded" part of the I2C subsystem:
- lots of devicetree conversions of drivers (and preparations for
that)
- big cleanups for drivers for OMAP, Tegra, Nomadik, Blackfin
- Rafael's struct dev_pm_ops conversion patches for I2C
- usual driver cleanups and fixes
All patches have been in linux-next for an apropriate time and all
patches touching files outside of i2c-folders should have proper acks
from the maintainers."
* 'i2c-embedded/for-next' of git://git.pengutronix.de/git/wsa/linux: (60 commits)
Revert "i2c: tegra: convert normal suspend/resume to *_noirq"
I2C: MV64XYZ: Add Device Tree support
i2c: stu300: use devm managed resources
i2c: i2c-ocores: support for 16bit and 32bit IO
V4L/DVB: mfd: use reg_shift instead of regstep
i2c: i2c-ocores: Use reg-shift property
i2c: i2c-ocores: DT bindings and minor fixes.
i2c: mv64xxxx: remove EXPERIMENTAL tag
i2c-s3c2410: Use plain pm_runtime_put()
i2c: s3c2410: Fix pointer type passed to of_match_node()
i2c: mxs: Set I2C timing registers for mxs-i2c
i2c: i2c-bfin-twi: Move blackfin TWI register access Macro to head file.
i2c: i2c-bfin-twi: Move TWI peripheral pin request array to platform data.
i2c:i2c-bfin-twi: include twi head file
i2c:i2c-bfin-twi: TWI fails to restart next transfer in high system load.
i2c: i2c-bfin-twi: Tighten condition when failing I2C transfer if MEN bit is reset unexpectedly.
i2c: i2c-bfin-twi: Break dead waiting loop if i2c device misbehaves.
i2c: i2c-bfin-twi: Improve the patch for bug "Illegal i2c bus lock upon certain transfer scenarios".
i2c: i2c-bfin-twi: Illegal i2c bus lock upon certain transfer scenarios.
i2c-mv64xxxx: allow more than one driver instance
...
Conflicts:
drivers/i2c/busses/i2c-nomadik.c
This means switching to the tty refcounted model so that we will not
race with interrupts.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: Richard Weinberger <richard@nod.at>
And use count from there.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: Richard Weinberger <richard@nod.at>
Pull networking fixes from David Miller:
"Several bug fixes, some to new features appearing in this merge
window, some that have been around for a while.
I have a short list of known problems that need to be sorted out, but
all of them can be solved easily during the run up to 3.6-final.
I'll be offline until Sunday afternoon, but nothing need hold up
3.6-rc1 and the close of the merge window, networking wise, at this
point.
1) Fix interface check in ipv4 TCP early demux, from Eric Dumazet.
2) Fix a long standing bug in TCP DMA to userspace offload that can
hang applications using MSG_TRUNC, from Jiri Kosina.
3) Don't allow TCP_USER_TIMEOUT to be negative, from Hangbin Liu.
4) Don't use GFP_KERNEL under spinlock in kaweth driver, from Dan
Carpenter"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
tcp: perform DMA to userspace only if there is a task waiting for it
Revert "openvswitch: potential NULL deref in sample()"
ipv4: fix TCP early demux
net: fix rtnetlink IFF_PROMISC and IFF_ALLMULTI handling
USB: kaweth.c: use GFP_ATOMIC under spin_lock
tcp: Add TCP_USER_TIMEOUT negative value check
bcma: add missing iounmap on error path
bcma: fix regression in interrupt assignment on mips
mac80211_hwsim: fix possible race condition in usage of info->control.sta & control.vif
Prior to syscall invocation, __sys_trace only reloads r0-r3 from the
kernel stack, preventing the debugger from updating arguments 5-7 when
signalled via ptrace.
This patch updates the code to reload r0-r6, updating arguments 5 and 6
on the stack (argument 7 is only used by OABI indirect syscalls and
can remain in a register).
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
just let do_work_pending() return 1 on normal local restarts and
-1 on those that had been caused by ERESTART_RESTARTBLOCK (and 0
is still "all done, sod off to userland now"). And let the asm
glue flip scno to restart_syscall(2) one if it got negative from
us...
[will: resolved conflicts with audit fixes]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This reverts commit 3b0c062267.
We no longer require the restart trampoline for syscall restarting.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
This reverts commit 433e2f307b.
Conflicts:
arch/arm/kernel/ptrace.c
Reintroduce the new syscall restart handling in preparation for further
patches from Al Viro.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
We should free the thinkpad_id.nummodel_str during exit as it's allocated
in get_thinkpad_module_data().
Signed-off-by: Li Dongyang <Jerry87905@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
