ovl: fix permission checking for setattr (CVE-2015-8660)
This commit is contained in:
Salvatore Bonaccorso
parent
8571d54a8b
commit
d6b9e3f082
|
|
@ -1,7 +1,11 @@
|
|||
linux (4.3.3-3) UNRELEASED; urgency=medium
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [ppc64*] drm: Enable DRM_AST as module (Closes: #808338)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* ovl: fix permission checking for setattr (CVE-2015-8660)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 18 Dec 2015 20:19:24 +0000
|
||||
|
||||
linux (4.3.3-2) unstable; urgency=medium
|
||||
|
|
|
|||
|
|
@ -0,0 +1,46 @@
|
|||
From: Miklos Szeredi <miklos@szeredi.hu>
|
||||
Date: Fri, 4 Dec 2015 19:18:48 +0100
|
||||
Subject: ovl: fix permission checking for setattr
|
||||
Origin: https://git.kernel.org/linus/acff81ec2c79492b180fade3c2894425cd35a545
|
||||
|
||||
[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
|
||||
away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
|
||||
(with the former being always safe and the latter failing in case of
|
||||
insufficient permissions) it tries to combine these two. Note that copyup
|
||||
itself will have to do ->setattr() anyway; _that_ is where the elevated
|
||||
capabilities are right. Having these two ->setattr() (one to set verbatim
|
||||
copy of metadata, another to do what overlayfs ->setattr() had been asked
|
||||
to do in the first place) combined is where it breaks.
|
||||
|
||||
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/overlayfs/inode.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
|
||||
index ec0c2a0..9612849 100644
|
||||
--- a/fs/overlayfs/inode.c
|
||||
+++ b/fs/overlayfs/inode.c
|
||||
@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
|
||||
if (err)
|
||||
goto out;
|
||||
|
||||
- upperdentry = ovl_dentry_upper(dentry);
|
||||
- if (upperdentry) {
|
||||
+ err = ovl_copy_up(dentry);
|
||||
+ if (!err) {
|
||||
+ upperdentry = ovl_dentry_upper(dentry);
|
||||
+
|
||||
mutex_lock(&upperdentry->d_inode->i_mutex);
|
||||
err = notify_change(upperdentry, attr, NULL);
|
||||
mutex_unlock(&upperdentry->d_inode->i_mutex);
|
||||
- } else {
|
||||
- err = ovl_copy_up_last(dentry, attr, false);
|
||||
}
|
||||
ovl_drop_write(dentry);
|
||||
out:
|
||||
--
|
||||
2.6.4
|
||||
|
||||
|
|
@ -105,3 +105,4 @@ bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
|
|||
bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
|
||||
bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
|
||||
debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
|
||||
bugfix/all/ovl-fix-permission-checking-for-setattr.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue