From 894bce5eff9262bb5376640409580c37bdc081c3 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 12:27:59 +0200 Subject: linux-cavium: CVE-2017-5551 S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix) Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5551 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../linux/linux-cavium/CVE-2017-5551.patch | 53 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 54 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch new file mode 100644 index 0000000..3865b5a --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch @@ -0,0 +1,53 @@ +From 782b361c93062f083bbc9a78928498218f950399 Mon Sep 17 00:00:00 2001 +From: Gu Zheng +Date: Mon, 9 Jan 2017 09:34:48 +0800 +Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs + +commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream. + +This change was missed the tmpfs modification in In CVE-2016-7097 +commit 073931017b49 ("posix_acl: Clear SGID bit when setting +file permissions") +It can test by xfstest generic/375, which failed to clear +setgid bit in the following test case on tmpfs: + + touch $testfile + chown 100:100 $testfile + chmod 2755 $testfile + _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile + +CVE: CVE-2017-5551 +Upstream-Status: Backport [from kernel.org longterm 4.9.52] + +Signed-off-by: Gu Zheng +Signed-off-by: Al Viro +Cc: Brad Spengler +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/posix_acl.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index 5955220..c9d48dc 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -922,11 +922,10 @@ int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type) + int error; + + if (type == ACL_TYPE_ACCESS) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) +- return 0; +- if (error == 0) +- acl = NULL; ++ error = posix_acl_update_mode(inode, ++ &inode->i_mode, &acl); ++ if (error) ++ return error; + } + + inode->i_ctime = current_time(inode); +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index c3e0f33..cc3e666 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -17,6 +17,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://dts \ file://CVE-2016-10154.patch \ file://CVE-2016-10208.patch \ + file://CVE-2017-5551.patch \ file://CVE-2017-7487.patch \ file://CVE-2017-7618.patch \ file://CVE-2017-7645.patch \ -- cgit v1.2.3-54-g00ecf