Date: Fri, 31 Oct 2003 19:12:31 -0800 (PST) From: "David P.Reese Jr." <daver@gomerbud.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/58793: [patch] linux_statfs() can leak fsid's to non-root users Message-ID: <20031101031231.D9505575@tombstone.localnet.gomerbud.com> Resent-Message-ID: <200311010310.hA13AKn1034295@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 58793 >Category: kern >Synopsis: [patch] linux_statfs() can leak fsid's to non-root users >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 31 19:10:20 PST 2003 >Closed-Date: >Last-Modified: >Originator: David P. Reese Jr. >Release: FreeBSD 5.1-RELEASE-p10 i386 >Organization: >Environment: System: FreeBSD tombstone.localnet.gomerbud.com 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #33: Fri Oct 31 17:52:30 PST 2003 root@tombstone.localnet.gomerbud.com:/tmp/obj/usr/src/sys/TOMBSTONE i386 >Description: The linux emulator syscalls linux_statfs() and linux_fstatfs() can leak fsid's to non-root users because they don't check the user id of the calling thread. The native syscalls statfs() and fstatfs() do however check the user id of the calling thread and modify the statfs buffer before copyout. While this is not much of a concern with local filesystems, leaking this information about an NFS mount exposes part of the NFS file handle. >How-To-Repeat: Compile the following program under both FreeBSD and Linux. --- Begin Program --- #include <stdio.h> #include <stdlib.h> #include <err.h> #ifdef __linux__ #include <sys/vfs.h> #else #include <sys/param.h> #include <sys/mount.h> #endif int main(int argc, char **argv) { struct statfs buf; int error; if (argc != 2) errx(EXIT_FAILURE, "please give me a path"); error = statfs(argv[1], &buf); if (error) err(EXIT_FAILURE, "statfs()"); printf("f_fsid.val[0] = 0x%x\n", buf.f_fsid); printf("f_fsid.val[1] = 0x%x\n", (int)*((int32_t *)&buf.f_fsid + 1)); return (0); } --- End Program --- For convenience, I have provided binaries built under both FreeBSD 5.1 and Slackware Linux 9.0 in order to reproduce the problem at http://gomerbud.com/daver/patches/freebsd/linux_statfs/ Running the FreeBSD version of the program we see something like: [daver@tombstone:~/security/freebsd/linux_statfs]$ ./statfs-freebsd5 /home f_fsid.val[0] = 0x0 f_fsid.val[1] = 0x0 [daver@tombstone:~/security/freebsd/linux_statfs]$ sudo ./statfs-freebsd5 /home f_fsid.val[0] = 0x3dcce3c0 f_fsid.val[1] = 0x3f68df57 Running the Linux version of the program we see something like: [daver@tombstone:~/security/freebsd/linux_statfs]$ ./statfs-linux /home f_fsid.val[0] = 0x3dcce3c0 f_fsid.val[1] = 0x3f68df57 [daver@tombstone:~/security/freebsd/linux_statfs]$ sudo ./statfs-linux /home f_fsid.val[0] = 0x3dcce3c0 f_fsid.val[1] = 0x3f68df57 Thus, the Linux emulator syscalls are not doing the proper credential checking. >Fix: Apply this patch to the kernel source: --- Begin Patch --- Index: compat/linux/linux_stats.c =================================================================== RCS file: /home/daver/cvs-repos/cvs-freebsd/src/sys/compat/linux/linux_stats.c,v retrieving revision 1.53 diff -u -r1.53 linux_stats.c --- compat/linux/linux_stats.c 29 Apr 2003 17:03:22 -0000 1.53 +++ compat/linux/linux_stats.c 1 Nov 2003 01:46:11 -0000 @@ -267,8 +267,13 @@ linux_statfs.f_bavail = bsd_statfs->f_bavail; linux_statfs.f_ffree = bsd_statfs->f_ffree; linux_statfs.f_files = bsd_statfs->f_files; - linux_statfs.f_fsid.val[0] = bsd_statfs->f_fsid.val[0]; - linux_statfs.f_fsid.val[1] = bsd_statfs->f_fsid.val[1]; + if (suser(td)) { + linux_statfs.f_fsid.val[0] = 0; + linux_statfs.f_fsid.val[1] = 0; + } else { + linux_statfs.f_fsid.val[0] = bsd_statfs->f_fsid.val[0]; + linux_statfs.f_fsid.val[1] = bsd_statfs->f_fsid.val[1]; + } linux_statfs.f_namelen = MAXNAMLEN; return copyout(&linux_statfs, args->buf, sizeof(linux_statfs)); } @@ -311,8 +316,13 @@ linux_statfs.f_bavail = bsd_statfs->f_bavail; linux_statfs.f_ffree = bsd_statfs->f_ffree; linux_statfs.f_files = bsd_statfs->f_files; - linux_statfs.f_fsid.val[0] = bsd_statfs->f_fsid.val[0]; - linux_statfs.f_fsid.val[1] = bsd_statfs->f_fsid.val[1]; + if (suser(td)) { + linux_statfs.f_fsid.val[0] = 0; + linux_statfs.f_fsid.val[1] = 0; + } else { + linux_statfs.f_fsid.val[0] = bsd_statfs->f_fsid.val[0]; + linux_statfs.f_fsid.val[1] = bsd_statfs->f_fsid.val[1]; + } linux_statfs.f_namelen = MAXNAMLEN; error = copyout(&linux_statfs, args->buf, sizeof(linux_statfs)); fdrop(fp, td); --- End Patch --- After rebuilding the Linux module and loading it, we notice that the fsid's are not being leaked to non-root users by using the above program: [daver@tombstone:~/security/freebsd/linux_statfs]$ ./statfs-linux /home f_fsid.val[0] = 0x0 f_fsid.val[1] = 0x0 [daver@tombstone:~/security/freebsd/linux_statfs]$ sudo ./statfs-linux /home f_fsid.val[0] = 0x3dcce3c0 f_fsid.val[1] = 0x3f68df57 >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031101031231.D9505575>