From cde07a93953ec678d45b873e02e51810448a776a Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 3 Feb 2017 11:01:30 +0100 Subject: kernel: CVE-2017-5551 S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix) It was found that fix for CVE-2016-7097 was incomplete as it missed tmpfs. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5551 Reference to upstream commit (kernel.org 3.12 branch): https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=b0369e53c851f8cd87afd059d360a4f646840c8c Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../linux/files/tmpfs-CVE-2017-5551.patch | 64 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 + 2 files changed, 65 insertions(+) create mode 100644 recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch diff --git a/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch new file mode 100644 index 0000000..41a90f4 --- /dev/null +++ b/recipes-kernel/linux/files/tmpfs-CVE-2017-5551.patch @@ -0,0 +1,64 @@ +From b0369e53c851f8cd87afd059d360a4f646840c8c Mon Sep 17 00:00:00 2001 +From: Gu Zheng +Date: Mon, 9 Jan 2017 09:34:48 +0800 +Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs + +commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream. + +This change was missed the tmpfs modification in In CVE-2016-7097 +commit 073931017b49 ("posix_acl: Clear SGID bit when setting +file permissions") +It can test by xfstest generic/375, which failed to clear +setgid bit in the following test case on tmpfs: + + touch $testfile + chown 100:100 $testfile + chmod 2755 $testfile + _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile + +CVE: CVE-2017-5551 +Upstream-Status: Backport + +Signed-off-by: Gu Zheng +Signed-off-by: Al Viro +Signed-off-by: Jan Kara +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + fs/generic_acl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/generic_acl.c b/fs/generic_acl.c +index b3f3676..7855cfb 100644 +--- a/fs/generic_acl.c ++++ b/fs/generic_acl.c +@@ -82,19 +82,21 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value, + return PTR_ERR(acl); + } + if (acl) { ++ struct posix_acl *old_acl; ++ + error = posix_acl_valid(acl); + if (error) + goto failed; + switch (type) { + case ACL_TYPE_ACCESS: +- error = posix_acl_equiv_mode(acl, &inode->i_mode); ++ old_acl = acl; ++ error = posix_acl_update_mode(inode, &inode->i_mode, ++ &acl); + if (error < 0) + goto failed; ++ if (!acl) ++ posix_acl_release(old_acl); + inode->i_ctime = CURRENT_TIME; +- if (error == 0) { +- posix_acl_release(acl); +- acl = NULL; +- } + break; + case ACL_TYPE_DEFAULT: + if (!S_ISDIR(inode->i_mode)) { +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 7689676..703bdc0 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend @@ -11,5 +11,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \ file://CVE-2016-6480.patch \ file://ring-buffer-CVE-2016-9754.patch \ file://tmpfs-CVE-2016-7097.patch \ + file://tmpfs-CVE-2017-5551.patch \ " -- cgit v1.2.3-54-g00ecf