Bug#573490: Check kernel config during drbd8 builds
On Fri, Mar 12, 2010 at 04:52:46AM +0000, Ben Hutchings wrote:
> This patch adds the config script to the package (as done in unstable)
> and ensures that it runs at build time. Given this, you can adjust the
> config script or the code to report a fatal error if it detects the
> insecure connector API.
Thanks Ben, that works great.
My suggestion would then be to add a #warning message if built against
old headers, but allow it to complete anyway. My reasoning is that
we provide prebuilt binaries on lenny, and we can guarantee that those
binaries get fixed (by only signing good builds).
The only people building the modules directly are likely running some
self-maintained kernel. This kernel may or may not be keeping up with
security patches - that we can't control - but we can avoid a
regression in functionality. The drbd build is also currently free of
warnings, so this one should stick out.
Attached is a combined patch that implements this.
diff -u drbd8-8.0.14/debian/drbd8-source.drbd-Makefile drbd8-8.0.14/debian/drbd8-source.drbd-Makefile
--- drbd8-8.0.14/debian/drbd8-source.drbd-Makefile
+++ drbd8-8.0.14/debian/drbd8-source.drbd-Makefile
@@ -14,0 +15,9 @@
+# Automatically update config
+$(addprefix $(obj)/,$(drbd-objs)): $(obj)/linux/drbd_config.h
+$(obj)/linux/drbd_config.h: FORCE
+ $(Q)if [ "$(obj)" != "$(src)" ]; then \
+ mkdir -p $(@D) && \
+ cp $(src)/linux/drbd_config.h $@; \
+ fi
+ cd $(obj) && KDIR=$(objtree) $(src)/../scripts/adjust_drbd_config_h.sh
+.PHONY: FORCE
diff -u drbd8-8.0.14/debian/rules drbd8-8.0.14/debian/rules
--- drbd8-8.0.14/debian/rules
+++ drbd8-8.0.14/debian/rules
@@ -113,7 +113,8 @@
cp debian/drbd8-source.Makefile debian/$(PACKAGE)-source/usr/src/modules/drbd8/Makefile
cp debian/drbd8-source.drbd-Makefile debian/$(PACKAGE)-source/usr/src/modules/drbd8/drbd/Makefile
cp drbd/linux/drbd_config.h debian/$(PACKAGE)-source/usr/src/modules/drbd8
-# cp -a scripts/adjust_drbd_config_h.sh debian/$(PACKAGE)-source/usr/src/modules/drbd/scripts/
+ mkdir debian/$(PACKAGE)-source/usr/src/modules/drbd8/scripts
+ cp scripts/adjust_drbd_config_h.sh debian/$(PACKAGE)-source/usr/src/modules/drbd8/scripts/
# install debian/ files
mkdir -p debian/$(PACKAGE)-source/usr/src/modules/drbd8/debian/
diff -u drbd8-8.0.14/debian/changelog drbd8-8.0.14/debian/changelog
--- drbd8-8.0.14/debian/changelog
+++ drbd8-8.0.14/debian/changelog
@@ -1,3 +1,11 @@
+drbd8 (2:8.0.14-2+lenny1) stable-security; urgency=high
+
+ * Update for connector API change in linux-2.6_2.6.26-21lenny4
+ (Closes: #573490)
+ * Restrict netlink calls to users with CAP_SYS_ADMIN (CVE Requested)
+
+ -- dann frazier <dannf@debian.org> Thu, 11 Mar 2010 15:47:53 -0700
+
drbd8 (2:8.0.14-2) unstable; urgency=low
* Drop dpatch build-dependency.
only in patch2:
unchanged:
--- drbd8-8.0.14.orig/drbd/drbd_nl.c
+++ drbd8-8.0.14/drbd/drbd_nl.c
@@ -1764,9 +1764,15 @@
};
+#ifdef KERNEL_HAS_CN_SKB_PARMS
+STATIC void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms *nsp)
+{
+#else
+#warning "Possible security issue. Please update your headers/kernel."
STATIC void drbd_connector_callback(void *data)
{
struct cn_msg *req = data;
+#endif
struct drbd_nl_cfg_req *nlp = (struct drbd_nl_cfg_req *)req->data;
struct cn_handler_struct *cm;
struct cn_msg *cn_reply;
@@ -1782,13 +1788,20 @@
return;
}
+#ifdef KERNEL_HAS_CN_SKB_PARMS
+ if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
+ retcode = ERR_PERM;
+ goto fail;
+ }
+#endif
+
mdev = ensure_mdev(nlp);
if (!mdev) {
retcode = MinorNotKnown;
goto fail;
}
- TRACE(TraceTypeNl, TraceLvlSummary, nl_trace_packet(data););
+ TRACE(TraceTypeNl, TraceLvlSummary, nl_trace_packet(req););
if (nlp->packet_type >= P_nl_after_last_packet) {
retcode = UnknownNetLinkPacket;
only in patch2:
unchanged:
--- drbd8-8.0.14.orig/drbd/linux/drbd_config.h
+++ drbd8-8.0.14/drbd/linux/drbd_config.h
@@ -85,4 +85,8 @@
//#define NEED_SG_SET_BUF
#define HAVE_LINUX_SCATTERLIST_H
+/* In 2.6.32 we finally fixed connector to pass netlink_skb_parms to the callback
+ */
+#define KERNEL_HAS_CN_SKB_PARMS
+
#endif
only in patch2:
unchanged:
--- drbd8-8.0.14.orig/drbd/linux/drbd.h
+++ drbd8-8.0.14/drbd/linux/drbd.h
@@ -140,6 +140,7 @@
CSUMSResyncRunning, /* DRBD 8.2 only */
VERIFYIsRunning, /* DRBD 8.2 only */
DataOfWrongCurrent,
+ ERR_PERM,
/* insert new ones above this line */
AfterLastRetCode
only in patch2:
unchanged:
--- drbd8-8.0.14.orig/user/drbdsetup.c
+++ drbd8-8.0.14/user/drbdsetup.c
@@ -408,6 +408,7 @@
EM(ProtocolCRequired) = "Protocol C required",
EM(VMallocFailed) = "vmalloc() failed. Out of memory?",
EM(DataOfWrongCurrent) = "Can only attach to the data we lost last (see kernel log).",
+ EM(ERR_PERM) = "Permission denied. CAP_SYS_ADMIN necessary",
};
#define MAX_ERROR (sizeof(error_messages)/sizeof(*error_messages))
const char * error_to_string(int err_no)
only in patch2:
unchanged:
--- drbd8-8.0.14.orig/scripts/adjust_drbd_config_h.sh
+++ drbd8-8.0.14/scripts/adjust_drbd_config_h.sh
@@ -104,6 +104,11 @@
have_linux_scatterlist_h=0
need_sg_set_buf=1
fi
+ if grep_q "netlink_skb_parms" $KDIR/include/linux/connector.h ; then
+ have_netlink_skb_parms=1
+ else
+ have_netlink_skb_parms=0
+ fi
else
# not a 2.6. kernel. just leave it alone...
exit 0
@@ -131,6 +136,8 @@
{ ( $need_sg_set_buf ? '' : '//' ) . \$1}e;
s{.*(#define HAVE_LINUX_SCATTERLIST_H.*)}
{ ( $have_linux_scatterlist_h ? '' : '//' ) . \$1}e;
+ s{.*(#define KERNEL_HAS_CN_SKB_PARMS.*)}
+ { ( $have_netlink_skb_parms ? '' : '//' ) . \$1}e;
" \
< ./linux/drbd_config.h \
> ./linux/drbd_config.h.new
Reply to: