Race conditions - patch.

=?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski (lcamtuf@BOSS.STASZIC.WAW.PL)
Sun, 22 Feb 1998 14:13:02 +0100

Here's my kernel patch. This one should finally (?) stop typical
race conditions, including pipe attacks and regular file races.
This solution is radical (disallows writing to not-your pipes and
files in +t directories), but works fine. Even if any program
fails, it may be easily patched to store it's files in eg. /tmp
subdir. It's much easier to change one path than to fix a lot
of vunerable utilities.

-- race_patch-2.0.patch --
'Race conditions patch' by Michal Zalewski <lcamtuf@staszic.waw.pl>
and Krzysztof G. Baranowski <kgb@manjak.knm.org.pl>

--- linux-2.0.33/fs/namei.c.orig Sun Aug 17 01:23:19 1997
+++ linux-2.0.33/fs/namei.c Sat Feb 21 16:00:20 1998
@@ -19,6 +19,7 @@
#include <linux/fcntl.h>
#include <linux/stat.h>
#include <linux/mm.h>
+#include <linux/config.h>

#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])

@@ -405,6 +406,13 @@
iput(inode);
return error;
}
+ #ifdef CONFIG_RACE_FIX
+ if ((S_ISREG(inode->i_mode) || S_ISFIFO(inode->i_mode)) && (dir->i_mode
+ & S_ISVTX) && current->fsuid!=inode->i_uid && current->fsuid && (flag & 2)) {
+ iput(inode);
+ return -EPERM;
+ }
+ #endif /* CONFIG_RACE_FIX */
if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
/*
* 2-Feb-1995 Bruce Perens <Bruce@Pixar.com>
--- linux-2.0.33/fs/Config.in.orig Sat Feb 21 14:37:18 1998
+++ linux-2.0.33/fs/Config.in Sat Feb 21 14:36:56 1998
@@ -4,6 +4,9 @@
mainmenu_option next_comment
comment 'Filesystems'

+if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ bool 'Race conditions patch (EXPERIMENTAL)' CONFIG_RACE_FIX
+fi
bool 'Quota support' CONFIG_QUOTA
tristate 'Minix fs support' CONFIG_MINIX_FS
tristate 'Extended fs support' CONFIG_EXT_FS
--- linux-2.0.33/Documentation/Configure.help.orig Sat Sep 6 05:43:58 1997
+++ linux-2.0.33/Documentation/Configure.help Sat Feb 21 15:22:43 1998
@@ -2930,6 +2930,18 @@
will skip detection and configuration after all.
N.B. options are case sensitive.
Read Documentation/cdrom/isp16 for details.
+
+Race conditions patch
+CONFIG_RACE_FIX
+ 'Race condition fix' disallows ordinary users to write files/pipes
+ not owned by them in +t directories, overriding file access mode.
+ This feature prevents 'race conditions'. This patch is experimental.
+ If you're afraid about your security, say Y. Otherwise, if one
+ of more of your programs stops working with this patch, say N,
+ and report your problem to us.
+ Newest version can be obtained from authors, Michal Zalewski
+ <lcamtuf@staszic.waw.pl> and Krzysztof G. Baranowski
+ <kgb@manjak.knm.org.pl>.

Quota support
CONFIG_QUOTA
-- eof --

_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=