kernel: CVE-2017-5551

S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix) It was found that fix for CVE-2016-7097 was incomplete as it missed tmpfs. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5551 Reference to upstream commit (kernel.org 3.12 branch): https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=b0369e53c851f8cd87afd059d360a4f646840c8c Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-02-03 11:01:30 +0100
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-02-06 10:45:55 +0100
commit: cde07a93953ec678d45b873e02e51810448a776a (patch)
tree: 1000be05cda48bc83c48c5c482e432ec8a446cfe
parent: ff0bff80783d049ad584e9a0497350211770f138 (diff)
download: meta-enea-bsp-ppc-cde07a93953ec678d45b873e02e51810448a776a.tar.gz
2 files changed, 65 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch
new file mode 100644
index 0000000..41a90f4
--- /dev/null
+++ b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch
@@ -0,0 +1,64 @@
+From b0369e53c851f8cd87afd059d360a4f646840c8c Mon Sep 17 00:00:00 2001
+From: Gu Zheng <guzheng1@huawei.com>
+Date: Mon, 9 Jan 2017 09:34:48 +0800
+Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs
+commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.
+This change was missed the tmpfs modification in In CVE-2016-7097
+commit 073931017b49 ("posix_acl: Clear SGID bit when setting
+file permissions")
+It can test by xfstest generic/375, which failed to clear
+setgid bit in the following test case on tmpfs:
+  touch $testfile
+  chown 100:100 $testfile
+  chmod 2755 $testfile
+  _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
+CVE: CVE-2017-5551
+Upstream-Status: Backport
+Signed-off-by: Gu Zheng <guzheng1@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/generic_acl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/fs/generic_acl.c b/fs/generic_acl.c
+index b3f3676..7855cfb 100644
+--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
+@@ -82,19 +82,21 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
+                        return PTR_ERR(acl);
+        }
+        if (acl) {
+               struct posix_acl *old_acl;
+
+                error = posix_acl_valid(acl);
+                if (error)
+                        goto failed;
+                switch (type) {
+                case ACL_TYPE_ACCESS:
+-                       error = posix_acl_equiv_mode(acl, &inode->i_mode);
+                       old_acl = acl;
+                       error = posix_acl_update_mode(inode, &inode->i_mode,
+                                                     &acl);
+                        if (error < 0)
+                                goto failed;
+                       if (!acl)
+                               posix_acl_release(old_acl);
+                        inode->i_ctime = CURRENT_TIME;
+-                       if (error == 0) {
+-                               posix_acl_release(acl);
+-                               acl = NULL;
+-                       }
+                        break;
+                case ACL_TYPE_DEFAULT:
+                        if (!S_ISDIR(inode->i_mode)) {
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
index 7689676..703bdc0 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -11,5 +11,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \
            file://CVE-2016-6480.patch \
            file://ring-buffer-CVE-2016-9754.patch \
            file://tmpfs-CVE-2016-7097.patch \
+            file://tmpfs-CVE-2017-5551.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-02-03 11:01:30 +0100
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-02-06 10:45:55 +0100
commit	cde07a93953ec678d45b873e02e51810448a776a (patch)
tree	1000be05cda48bc83c48c5c482e432ec8a446cfe
parent	ff0bff80783d049ad584e9a0497350211770f138 (diff)
download	meta-enea-bsp-ppc-cde07a93953ec678d45b873e02e51810448a776a.tar.gz

diff --git a/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch new file mode 100644 index 0000000..41a90f4 --- /dev/null +++ b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch
@@ -0,0 +1,64 @@
		1	From b0369e53c851f8cd87afd059d360a4f646840c8c Mon Sep 17 00:00:00 2001
		2	From: Gu Zheng <guzheng1@huawei.com>
		3	Date: Mon, 9 Jan 2017 09:34:48 +0800
		4	Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs
		5
		6	commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.
		7
		8	This change was missed the tmpfs modification in In CVE-2016-7097
		9	commit 073931017b49 ("posix_acl: Clear SGID bit when setting
		10	file permissions")
		11	It can test by xfstest generic/375, which failed to clear
		12	setgid bit in the following test case on tmpfs:
		13
		14	touch $testfile
		15	chown 100:100 $testfile
		16	chmod 2755 $testfile
		17	_runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
		18
		19	CVE: CVE-2017-5551
		20	Upstream-Status: Backport
		21
		22	Signed-off-by: Gu Zheng <guzheng1@huawei.com>
		23	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
		24	Signed-off-by: Jan Kara <jack@suse.cz>
		25	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		27	---
		28	fs/generic_acl.c \| 12 +++++++-----
		29	1 file changed, 7 insertions(+), 5 deletions(-)
		30
		31	diff --git a/fs/generic_acl.c b/fs/generic_acl.c
		32	index b3f3676..7855cfb 100644
		33	--- a/fs/generic_acl.c
		34	+++ b/fs/generic_acl.c
		35	@@ -82,19 +82,21 @@ generic_acl_set(struct dentry dentry, const char name, const void *value,
		36	return PTR_ERR(acl);
		37	}
		38	if (acl) {
		39	+ struct posix_acl *old_acl;
		40	+
		41	error = posix_acl_valid(acl);
		42	if (error)
		43	goto failed;
		44	switch (type) {
		45	case ACL_TYPE_ACCESS:
		46	- error = posix_acl_equiv_mode(acl, &inode->i_mode);
		47	+ old_acl = acl;
		48	+ error = posix_acl_update_mode(inode, &inode->i_mode,
		49	+ &acl);
		50	if (error < 0)
		51	goto failed;
		52	+ if (!acl)
		53	+ posix_acl_release(old_acl);
		54	inode->i_ctime = CURRENT_TIME;
		55	- if (error == 0) {
		56	- posix_acl_release(acl);
		57	- acl = NULL;
		58	- }
		59	break;
		60	case ACL_TYPE_DEFAULT:
		61	if (!S_ISDIR(inode->i_mode)) {
		62	--
		63	1.9.1
		64


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 7689676..703bdc0 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -11,5 +11,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \
11	file://CVE-2016-6480.patch \	11	file://CVE-2016-6480.patch \
12	file://ring-buffer-CVE-2016-9754.patch \	12	file://ring-buffer-CVE-2016-9754.patch \
13	file://tmpfs-CVE-2016-7097.patch \	13	file://tmpfs-CVE-2016-7097.patch \
		14	file://tmpfs-CVE-2017-5551.patch \
14	"	15	"
15		16