rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone

Blame SOURCES/openssh-6.6p1-audit-race-condition.patch

1d31ef
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
1d31ef
--- openssh-7.4p1/monitor_wrap.c.audit-race	2017-02-09 14:07:56.870994116 +0100
1d31ef
+++ openssh-7.4p1/monitor_wrap.c	2017-02-09 14:07:56.874994112 +0100
1d31ef
@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
f8987c
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
f8987c
 	buffer_free(&m);
f8987c
 }
f8987c
+
f8987c
+int mm_forward_audit_messages(int fdin)
f8987c
+{
1bd961
+	u_char buf[4];
1bd961
+	u_int blen, msg_len;
1bd961
+	Buffer m;
1bd961
+	int ret = 0;
1bd961
+
1bd961
+	debug3("%s: entering", __func__);
1bd961
+	buffer_init(&m);
f8987c
+	do {
1bd961
+		blen = atomicio(read, fdin, buf, sizeof(buf));
1bd961
+		if (blen == 0) /* closed pipe */
1bd961
+			break;
1bd961
+		if (blen != sizeof(buf)) {
1bd961
+			error("%s: Failed to read the buffer from child", __func__);
1bd961
+			ret = -1;
1bd961
+			break;
1bd961
+		}
1bd961
+
1bd961
+		msg_len = get_u32(buf);
1bd961
+		if (msg_len > 256 * 1024)
1bd961
+			fatal("%s: read: bad msg_len %d", __func__, msg_len);
1bd961
+		buffer_clear(&m);
1bd961
+		buffer_append_space(&m, msg_len);
1bd961
+		if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
1bd961
+			error("%s: Failed to read the the buffer content from the child", __func__);
1bd961
+			ret = -1;
1bd961
+			break;
f8987c
+		}
1bd961
+		if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || 
1bd961
+		    atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
1bd961
+			error("%s: Failed to write the message to the monitor", __func__);
1bd961
+			ret = -1;
1bd961
+			break;
f8987c
+		}
1bd961
+	} while (1);
1bd961
+	buffer_free(&m);
1bd961
+	return ret;
f8987c
+}
f8987c
+void mm_set_monitor_pipe(int fd)
f8987c
+{
f8987c
+	pmonitor->m_recvfd = fd;
f8987c
+}
f8987c
 #endif /* SSH_AUDIT_EVENTS */
1d31ef
diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
1d31ef
--- openssh-7.4p1/monitor_wrap.h.audit-race	2017-02-09 14:07:56.870994116 +0100
1d31ef
+++ openssh-7.4p1/monitor_wrap.h	2017-02-09 14:07:56.874994112 +0100
1d31ef
@@ -80,6 +80,8 @@ void mm_audit_unsupported_body(int);
f8987c
 void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
f8987c
 void mm_audit_session_key_free_body(int, pid_t, uid_t);
f8987c
 void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
f8987c
+int mm_forward_audit_messages(int);
f8987c
+void mm_set_monitor_pipe(int);
f8987c
 #endif
f8987c
 
f8987c
 struct Session;
1d31ef
diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
1d31ef
--- openssh-7.4p1/session.c.audit-race	2017-02-09 14:07:56.871994115 +0100
1d31ef
+++ openssh-7.4p1/session.c	2017-02-09 14:09:44.710893783 +0100
1d31ef
@@ -162,6 +162,10 @@ static Session *sessions = NULL;
f8987c
 login_cap_t *lc;
f8987c
 #endif
f8987c
 
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+int paudit[2];
f8987c
+#endif
f8987c
+
f8987c
 static int is_child = 0;
1d31ef
 static int in_chroot = 0;
f8987c
 static int have_dev_log = 1;
1d31ef
@@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
1d31ef
 	return 1;
1bd961
 }
1bd961
 
1bd961
+void child_destory_sensitive_data();
1bd961
+
1bd961
 #define USE_PIPES 1
1bd961
 /*
1bd961
  * This is called to fork and execute a command when we have no tty.  This
1d31ef
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
1bd961
 		cray_init_job(s->pw); /* set up cray jid and tmpdir */
1bd961
 #endif
1bd961
 
1bd961
+		child_destory_sensitive_data();
1bd961
+
1bd961
 		/* Do processing for the child (exec command etc). */
1bd961
 		do_child(s, command);
1bd961
 		/* NOTREACHED */
1d31ef
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
1bd961
 		/* Close the extra descriptor for the pseudo tty. */
1bd961
 		close(ttyfd);
1bd961
 
1bd961
+		/* Do this early, so we will not block large MOTDs */
1bd961
+		child_destory_sensitive_data();
1bd961
+
1bd961
 		/* record login, etc. similar to login(1) */
1d31ef
 #ifdef _UNICOS
1d31ef
 		cray_init_job(s->pw); /* set up cray jid and tmpdir */
1d31ef
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
f8987c
 	}
f8987c
 	if (s->command != NULL && s->ptyfd == -1)
f8987c
 		s->command_handle = PRIVSEP(audit_run_command(s->command));
f8987c
+	if (pipe(paudit) < 0)
f8987c
+		fatal("pipe: %s", strerror(errno));
f8987c
 #endif
f8987c
 	if (s->ttyfd != -1)
f8987c
 		ret = do_exec_pty(s, command);
1d31ef
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
f8987c
 	 */
f8987c
 	buffer_clear(&loginmsg);
f8987c
 
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+	close(paudit[1]);
f8987c
+	if (use_privsep && ret == 0) {
f8987c
+		/*
f8987c
+		 * Read the audit messages from forked child and send them
f8987c
+		 * back to monitor. We don't want to communicate directly,
f8987c
+		 * because the messages might get mixed up.
f8987c
+		 * Continue after the pipe gets closed (all messages sent).
f8987c
+		 */
f8987c
+		ret = mm_forward_audit_messages(paudit[0]);
f8987c
+	}
f8987c
+	close(paudit[0]);
f8987c
+#endif /* SSH_AUDIT_EVENTS */
f8987c
+
f8987c
 	return ret;
f8987c
 }
f8987c
 
1d31ef
@@ -1542,6 +1569,33 @@ child_close_fds(void)
1bd961
 	endpwent();
1bd961
 }
f8987c
 
1bd961
+void
1bd961
+child_destory_sensitive_data()
1bd961
+{
f8987c
+#ifdef SSH_AUDIT_EVENTS
1bd961
+	int pparent = paudit[1];
f8987c
+	close(paudit[0]);
f8987c
+	/* Hack the monitor pipe to avoid race condition with parent */
f8987c
+	if (use_privsep)
1bd961
+		mm_set_monitor_pipe(pparent);
f8987c
+#endif
f8987c
+
1bd961
+	/* remove hostkey from the child's memory */
f8987c
+	destroy_sensitive_data(use_privsep);
f8987c
+	/*
f8987c
+	 * We can audit this, because we hacked the pipe to direct the
f8987c
+	 * messages over postauth child. But this message requires answer
f8987c
+	 * which we can't do using one-way pipe.
f8987c
+	 */
1bd961
+	packet_destroy_all(0, 1);
1bd961
+
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+	/* Notify parent that we are done */
1bd961
+	close(pparent);
f8987c
+#endif
f8987c
+
1bd961
+}
1bd961
+
1bd961
 /*
1bd961
  * Performs common processing for the child, such as setting up the
1bd961
  * environment, closing extra file descriptors, setting the user and group
1d31ef
@@ -1558,12 +1612,6 @@ do_child(Session *s, const char *command
1bd961
 	struct passwd *pw = s->pw;
1bd961
 	int r = 0;
1bd961
 
1bd961
-	/* remove hostkey from the child's memory */
1bd961
-	destroy_sensitive_data(1);
1bd961
-	/* Don't audit this - both us and the parent would be talking to the
1bd961
-	   monitor over a single socket, with no synchronization. */
1bd961
-	packet_destroy_all(0, 1);
1bd961
-
f8987c
 	/* Force a password change */
f8987c
 	if (s->authctxt->force_pwchange) {
f8987c
 		do_setusercontext(pw);