rutwa189 / rpms / openssh

Forked from rpms/openssh a year ago
Clone

Blame SOURCES/openssh-6.6p1-audit-race-condition.patch

f8987c
diff -up openssh-6.6p1/monitor_wrap.c.audit-race openssh-6.6p1/monitor_wrap.c
f8987c
--- openssh-6.6p1/monitor_wrap.c.audit-race	2016-02-23 13:43:59.958203930 +0100
f8987c
+++ openssh-6.6p1/monitor_wrap.c	2016-02-23 13:43:59.959203930 +0100
f8987c
@@ -1456,4 +1456,31 @@ mm_audit_destroy_sensitive_data(const ch
f8987c
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
f8987c
 	buffer_free(&m);
f8987c
 }
f8987c
+
f8987c
+int mm_forward_audit_messages(int fdin)
f8987c
+{
f8987c
+	static char fb[256];
f8987c
+	size_t fblen;
f8987c
+	do {
f8987c
+		fblen = atomicio(read, fdin, fb, sizeof(fb));
f8987c
+		if (fblen == 0) {
f8987c
+			// atomicio read returns EPIPE also with EOF
f8987c
+			if (errno != EPIPE) {
f8987c
+				error("%s: Failed to read the messages from child", __func__);
f8987c
+				return -1;
f8987c
+			}
f8987c
+			return 0;
f8987c
+		}
f8987c
+		fblen = atomicio(vwrite, pmonitor->m_recvfd, fb, fblen);
f8987c
+		if (fblen == 0 && errno != EPIPE) {
f8987c
+			error("%s: Failed to pass the messages to the monitor", __func__);
f8987c
+			return -1;
f8987c
+		}
f8987c
+	} while(fblen > 0);
f8987c
+	return 0;
f8987c
+}
f8987c
+void mm_set_monitor_pipe(int fd)
f8987c
+{
f8987c
+	pmonitor->m_recvfd = fd;
f8987c
+}
f8987c
 #endif /* SSH_AUDIT_EVENTS */
f8987c
diff -up openssh-6.6p1/monitor_wrap.h.audit-race openssh-6.6p1/monitor_wrap.h
f8987c
--- openssh-6.6p1/monitor_wrap.h.audit-race	2016-02-23 13:43:59.958203930 +0100
f8987c
+++ openssh-6.6p1/monitor_wrap.h	2016-02-23 13:43:59.959203930 +0100
f8987c
@@ -86,6 +86,8 @@ void mm_audit_unsupported_body(int);
f8987c
 void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
f8987c
 void mm_audit_session_key_free_body(int, pid_t, uid_t);
f8987c
 void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
f8987c
+int mm_forward_audit_messages(int);
f8987c
+void mm_set_monitor_pipe(int);
f8987c
 #endif
f8987c
 
f8987c
 struct Session;
f8987c
diff -up openssh-6.6p1/session.c.audit-race openssh-6.6p1/session.c
f8987c
--- openssh-6.6p1/session.c.audit-race	2016-02-23 13:43:59.954203931 +0100
f8987c
+++ openssh-6.6p1/session.c	2016-02-23 13:45:14.758194058 +0100
f8987c
@@ -158,6 +159,10 @@ static Session *sessions = NULL;
f8987c
 login_cap_t *lc;
f8987c
 #endif
f8987c
 
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+int paudit[2];
f8987c
+#endif
f8987c
+
f8987c
 static int is_child = 0;
f8987c
 
f8987c
 static int have_dev_log = 1;
f8987c
@@ -891,6 +896,8 @@ do_exec(Session *s, const char *command)
f8987c
 	}
f8987c
 	if (s->command != NULL && s->ptyfd == -1)
f8987c
 		s->command_handle = PRIVSEP(audit_run_command(s->command));
f8987c
+	if (pipe(paudit) < 0)
f8987c
+		fatal("pipe: %s", strerror(errno));
f8987c
 #endif
f8987c
 	if (s->ttyfd != -1)
f8987c
 		ret = do_exec_pty(s, command);
f8987c
@@ -906,6 +913,20 @@ do_exec(Session *s, const char *command)
f8987c
 	 */
f8987c
 	buffer_clear(&loginmsg);
f8987c
 
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+	close(paudit[1]);
f8987c
+	if (use_privsep && ret == 0) {
f8987c
+		/*
f8987c
+		 * Read the audit messages from forked child and send them
f8987c
+		 * back to monitor. We don't want to communicate directly,
f8987c
+		 * because the messages might get mixed up.
f8987c
+		 * Continue after the pipe gets closed (all messages sent).
f8987c
+		 */
f8987c
+		ret = mm_forward_audit_messages(paudit[0]);
f8987c
+	}
f8987c
+	close(paudit[0]);
f8987c
+#endif /* SSH_AUDIT_EVENTS */
f8987c
+
f8987c
 	return ret;
f8987c
 }
f8987c
 
f8987c
@@ -1718,12 +1739,27 @@ do_child(Session *s, const char *command
f8987c
 	struct passwd *pw = s->pw;
f8987c
 	int r = 0;
f8987c
 
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+	close(paudit[0]);
f8987c
+	/* Hack the monitor pipe to avoid race condition with parent */
f8987c
+	if (use_privsep)
f8987c
+		mm_set_monitor_pipe(paudit[1]);
f8987c
+#endif
f8987c
+
f8987c
 	/* remove hostkey from the child's memory */
f8987c
-	destroy_sensitive_data(1);
f8987c
-	/* Don't audit this - both us and the parent would be talking to the
f8987c
-	   monitor over a single socket, with no synchronization. */
f8987c
+	destroy_sensitive_data(use_privsep);
f8987c
+	/*
f8987c
+	 * We can audit this, because we hacked the pipe to direct the
f8987c
+	 * messages over postauth child. But this message requires answer
f8987c
+	 * which we can't do using one-way pipe.
f8987c
+	 */
f8987c
 	packet_destroy_all(0, 1);
f8987c
 
f8987c
+#ifdef SSH_AUDIT_EVENTS
f8987c
+	/* Notify parent that we are done */
f8987c
+	close(paudit[1]);
f8987c
+#endif
f8987c
+
f8987c
 	/* Force a password change */
f8987c
 	if (s->authctxt->force_pwchange) {
f8987c
 		do_setusercontext(pw);