CVE-2018-13405

Fix up non-directory creation in SGID directories Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1 Change-Id: Iea3f9c36876310831666a0179be73e20916e590f Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:43:35 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-26 13:43:35 +0200
commit: fd3325b122c8985bc6d0e349e1aee278b56e2d73 (patch)
tree: 18fe40001b13186fae8ca14e26c2ea45a18cb5bf
parent: 9d79a74903e810c7fbaf80000f4dea85f33de202 (diff)
download: enea-kernel-cache-fd3325b122c8985bc6d0e349e1aee278b56e2d73.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index c9bec68..65206d1 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -18,3 +18,6 @@ SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocati
 #CVEs fixed in 4.9.112:
 SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch"
+#CVEs fixed in 4.9.113:
+SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch"
diff --git a/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
new file mode 100644
index 0000000..17bd471
--- /dev/null
+++ b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
@@ -0,0 +1,52 @@
+From d2c7c52431819aa05d76fae77bb3f95dd0955da1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 3 Jul 2018 17:10:19 -0700
+Subject: [PATCH] Fix up non-directory creation in SGID directories
+commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream.
+sgid directories have special semantics, making newly created files in
+the directory belong to the group of the directory, and newly created
+subdirectories will also become sgid.  This is historically used for
+group-shared directories.
+But group directories writable by non-group members should not imply
+that such non-group members can magically join the group, so make sure
+to clear the sgid bit on non-directories for non-members (but remember
+that sgid without group execute means "mandatory locking", just to
+confuse things even more).
+CVE: CVE-2018-13405
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1]
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/fs/inode.c b/fs/inode.c
+index 920aa0b1c6b0..2071ff5343c5 100644
+--- a/fs/inode.c
+++ b/fs/inode.c
+@@ -2003,8 +2003,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
+        inode->i_uid = current_fsuid();
+        if (dir && dir->i_mode & S_ISGID) {
+                inode->i_gid = dir->i_gid;
+
+               /* Directories are special, and always inherit S_ISGID */
+                if (S_ISDIR(mode))
+                        mode |= S_ISGID;
+               else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
+                        !in_group_p(inode->i_gid) &&
+                        !capable_wrt_inode_uidgid(dir, CAP_FSETID))
+                       mode &= ~S_ISGID;
+        } else
+                inode->i_gid = current_fsgid();
+        inode->i_mode = mode;
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:43:35 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-26 13:43:35 +0200
commit	fd3325b122c8985bc6d0e349e1aee278b56e2d73 (patch)
tree	18fe40001b13186fae8ca14e26c2ea45a18cb5bf
parent	9d79a74903e810c7fbaf80000f4dea85f33de202 (diff)
download	enea-kernel-cache-fd3325b122c8985bc6d0e349e1aee278b56e2d73.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index c9bec68..65206d1 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -18,3 +18,6 @@ SRC_URI += "file://CVE-2018-13406-video-uvesafb-Fix-integer-overflow-in-allocati
18		18
19	#CVEs fixed in 4.9.112:	19	#CVEs fixed in 4.9.112:
20	SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch"	20	SRC_URI += "file://CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch"
		21
		22	#CVEs fixed in 4.9.113:
		23	SRC_URI += "file://CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch"


diff --git a/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch new file mode 100644 index 0000000..17bd471 --- /dev/null +++ b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
@@ -0,0 +1,52 @@
		1	From d2c7c52431819aa05d76fae77bb3f95dd0955da1 Mon Sep 17 00:00:00 2001
		2	From: Linus Torvalds <torvalds@linux-foundation.org>
		3	Date: Tue, 3 Jul 2018 17:10:19 -0700
		4	Subject: [PATCH] Fix up non-directory creation in SGID directories
		5
		6	commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream.
		7
		8	sgid directories have special semantics, making newly created files in
		9	the directory belong to the group of the directory, and newly created
		10	subdirectories will also become sgid. This is historically used for
		11	group-shared directories.
		12
		13	But group directories writable by non-group members should not imply
		14	that such non-group members can magically join the group, so make sure
		15	to clear the sgid bit on non-directories for non-members (but remember
		16	that sgid without group execute means "mandatory locking", just to
		17	confuse things even more).
		18
		19	CVE: CVE-2018-13405
		20	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1]
		21
		22	Reported-by: Jann Horn <jannh@google.com>
		23	Cc: Andy Lutomirski <luto@kernel.org>
		24	Cc: Al Viro <viro@zeniv.linux.org.uk>
		25	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		27	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		28	---
		29	fs/inode.c \| 6 ++++++
		30	1 file changed, 6 insertions(+)
		31
		32	diff --git a/fs/inode.c b/fs/inode.c
		33	index 920aa0b1c6b0..2071ff5343c5 100644
		34	--- a/fs/inode.c
		35	+++ b/fs/inode.c
		36	@@ -2003,8 +2003,14 @@ void inode_init_owner(struct inode inode, const struct inode dir,
		37	inode->i_uid = current_fsuid();
		38	if (dir && dir->i_mode & S_ISGID) {
		39	inode->i_gid = dir->i_gid;
		40	+
		41	+ /* Directories are special, and always inherit S_ISGID */
		42	if (S_ISDIR(mode))
		43	mode \|= S_ISGID;
		44	+ else if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP) &&
		45	+ !in_group_p(inode->i_gid) &&
		46	+ !capable_wrt_inode_uidgid(dir, CAP_FSETID))
		47	+ mode &= ~S_ISGID;
		48	} else
		49	inode->i_gid = current_fsgid();
		50	inode->i_mode = mode;
		51
		52