diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:43:35 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-26 13:43:35 +0200 |
commit | fd3325b122c8985bc6d0e349e1aee278b56e2d73 (patch) | |
tree | 18fe40001b13186fae8ca14e26c2ea45a18cb5bf | |
parent | 9d79a74903e810c7fbaf80000f4dea85f33de202 (diff) | |
download | enea-kernel-cache-fd3325b122c8985bc6d0e349e1aee278b56e2d73.tar.gz |
CVE-2018-13405
Fix up non-directory creation in SGID directories
Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1
Change-Id: Iea3f9c36876310831666a0179be73e20916e590f
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch | 52 |
2 files changed, 55 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index c9bec68..65206d1 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -18,3 +18,6 @@ SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocati | |||
18 | 18 | ||
19 | #CVEs fixed in 4.9.112: | 19 | #CVEs fixed in 4.9.112: |
20 | SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch" | 20 | SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch" |
21 | |||
22 | #CVEs fixed in 4.9.113: | ||
23 | SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch" | ||
diff --git a/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch new file mode 100644 index 0000000..17bd471 --- /dev/null +++ b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From d2c7c52431819aa05d76fae77bb3f95dd0955da1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Linus Torvalds <torvalds@linux-foundation.org> | ||
3 | Date: Tue, 3 Jul 2018 17:10:19 -0700 | ||
4 | Subject: [PATCH] Fix up non-directory creation in SGID directories | ||
5 | |||
6 | commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream. | ||
7 | |||
8 | sgid directories have special semantics, making newly created files in | ||
9 | the directory belong to the group of the directory, and newly created | ||
10 | subdirectories will also become sgid. This is historically used for | ||
11 | group-shared directories. | ||
12 | |||
13 | But group directories writable by non-group members should not imply | ||
14 | that such non-group members can magically join the group, so make sure | ||
15 | to clear the sgid bit on non-directories for non-members (but remember | ||
16 | that sgid without group execute means "mandatory locking", just to | ||
17 | confuse things even more). | ||
18 | |||
19 | CVE: CVE-2018-13405 | ||
20 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1] | ||
21 | |||
22 | Reported-by: Jann Horn <jannh@google.com> | ||
23 | Cc: Andy Lutomirski <luto@kernel.org> | ||
24 | Cc: Al Viro <viro@zeniv.linux.org.uk> | ||
25 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
27 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
28 | --- | ||
29 | fs/inode.c | 6 ++++++ | ||
30 | 1 file changed, 6 insertions(+) | ||
31 | |||
32 | diff --git a/fs/inode.c b/fs/inode.c | ||
33 | index 920aa0b1c6b0..2071ff5343c5 100644 | ||
34 | --- a/fs/inode.c | ||
35 | +++ b/fs/inode.c | ||
36 | @@ -2003,8 +2003,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, | ||
37 | inode->i_uid = current_fsuid(); | ||
38 | if (dir && dir->i_mode & S_ISGID) { | ||
39 | inode->i_gid = dir->i_gid; | ||
40 | + | ||
41 | + /* Directories are special, and always inherit S_ISGID */ | ||
42 | if (S_ISDIR(mode)) | ||
43 | mode |= S_ISGID; | ||
44 | + else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && | ||
45 | + !in_group_p(inode->i_gid) && | ||
46 | + !capable_wrt_inode_uidgid(dir, CAP_FSETID)) | ||
47 | + mode &= ~S_ISGID; | ||
48 | } else | ||
49 | inode->i_gid = current_fsgid(); | ||
50 | inode->i_mode = mode; | ||
51 | |||
52 | |||