diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-02-03 11:01:30 +0100 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-02-06 10:45:55 +0100 |
commit | cde07a93953ec678d45b873e02e51810448a776a (patch) | |
tree | 1000be05cda48bc83c48c5c482e432ec8a446cfe | |
parent | ff0bff80783d049ad584e9a0497350211770f138 (diff) | |
download | meta-enea-bsp-ppc-cde07a93953ec678d45b873e02e51810448a776a.tar.gz |
kernel: CVE-2017-5551
S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix)
It was found that fix for CVE-2016-7097 was incomplete as it missed tmpfs.
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5551
Reference to upstream commit (kernel.org 3.12 branch):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=b0369e53c851f8cd87afd059d360a4f646840c8c
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch | 64 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 |
2 files changed, 65 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch new file mode 100644 index 0000000..41a90f4 --- /dev/null +++ b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From b0369e53c851f8cd87afd059d360a4f646840c8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Gu Zheng <guzheng1@huawei.com> | ||
3 | Date: Mon, 9 Jan 2017 09:34:48 +0800 | ||
4 | Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs | ||
5 | |||
6 | commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream. | ||
7 | |||
8 | This change was missed the tmpfs modification in In CVE-2016-7097 | ||
9 | commit 073931017b49 ("posix_acl: Clear SGID bit when setting | ||
10 | file permissions") | ||
11 | It can test by xfstest generic/375, which failed to clear | ||
12 | setgid bit in the following test case on tmpfs: | ||
13 | |||
14 | touch $testfile | ||
15 | chown 100:100 $testfile | ||
16 | chmod 2755 $testfile | ||
17 | _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile | ||
18 | |||
19 | CVE: CVE-2017-5551 | ||
20 | Upstream-Status: Backport | ||
21 | |||
22 | Signed-off-by: Gu Zheng <guzheng1@huawei.com> | ||
23 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | ||
24 | Signed-off-by: Jan Kara <jack@suse.cz> | ||
25 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | fs/generic_acl.c | 12 +++++++----- | ||
29 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
30 | |||
31 | diff --git a/fs/generic_acl.c b/fs/generic_acl.c | ||
32 | index b3f3676..7855cfb 100644 | ||
33 | --- a/fs/generic_acl.c | ||
34 | +++ b/fs/generic_acl.c | ||
35 | @@ -82,19 +82,21 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value, | ||
36 | return PTR_ERR(acl); | ||
37 | } | ||
38 | if (acl) { | ||
39 | + struct posix_acl *old_acl; | ||
40 | + | ||
41 | error = posix_acl_valid(acl); | ||
42 | if (error) | ||
43 | goto failed; | ||
44 | switch (type) { | ||
45 | case ACL_TYPE_ACCESS: | ||
46 | - error = posix_acl_equiv_mode(acl, &inode->i_mode); | ||
47 | + old_acl = acl; | ||
48 | + error = posix_acl_update_mode(inode, &inode->i_mode, | ||
49 | + &acl); | ||
50 | if (error < 0) | ||
51 | goto failed; | ||
52 | + if (!acl) | ||
53 | + posix_acl_release(old_acl); | ||
54 | inode->i_ctime = CURRENT_TIME; | ||
55 | - if (error == 0) { | ||
56 | - posix_acl_release(acl); | ||
57 | - acl = NULL; | ||
58 | - } | ||
59 | break; | ||
60 | case ACL_TYPE_DEFAULT: | ||
61 | if (!S_ISDIR(inode->i_mode)) { | ||
62 | -- | ||
63 | 1.9.1 | ||
64 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 7689676..703bdc0 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend | |||
@@ -11,5 +11,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \ | |||
11 | file://CVE-2016-6480.patch \ | 11 | file://CVE-2016-6480.patch \ |
12 | file://ring-buffer-CVE-2016-9754.patch \ | 12 | file://ring-buffer-CVE-2016-9754.patch \ |
13 | file://tmpfs-CVE-2016-7097.patch \ | 13 | file://tmpfs-CVE-2016-7097.patch \ |
14 | file://tmpfs-CVE-2017-5551.patch \ | ||
14 | " | 15 | " |
15 | 16 | ||