Re: subuid security patches for shadow package

[Sebastian Krahmer <krahmer () suse com>]

On Tue, Jul 19, 2016 at 11:39:15AM +0200, Sebastian Krahmer wrote:
> Hi
>
> The shadow package contains newuidmap and newgidmap suid
> binaries in order to allow users to take advantage of the
> userns feature of uid-mappings.
>
> I added patches here:
>
> https://bugzilla.suse.com/show_bug.cgi?id=979282
>
> they consist of:
>
> 1) Removing getlogin() to find out about users.
>    It relies on utmp, which is not a trusted base of info (group writable).
>
> 2) Cleaning up UID retrieval and computation. The 'long long' code was
>    totally unclear to me, as the numbers are converted to ulong right
>    afterwards anyway. Additionally there was a *int overflow*, which can be
>    tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed)
>    which produces no error but tries to write large "count" values to the uid_map
>    file. Kernel may check for overflows itself, but it should not be allowed
>    by a suid binary to be written in the first place.

After checking some kernels, it looks like this int wrap is exploitable as a LPE,
as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64)
as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire
different view on the upper and lower bounds, making newuidmap overflow (and pass)
and still being in bounds inside the kernel.

Maybe it would be wise to align integer widths of kernel and the userspace
tools.

So everyone shipping newuidmap as mode 04755 should fix it. :)

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse com - SuSE Security Team