linux-cavium: CVE-2017-5551

S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix)

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5551

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>

2 files changed, 54 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch
new file mode 100644
index 0000000..3865b5a
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5551.patch
@@ -0,0 +1,53 @@
+From 782b361c93062f083bbc9a78928498218f950399 Mon Sep 17 00:00:00 2001
+From: Gu Zheng <guzheng1@huawei.com>
+Date: Mon, 9 Jan 2017 09:34:48 +0800
+Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs
+
+commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.
+
+This change was missed the tmpfs modification in In CVE-2016-7097
+commit 073931017b49 ("posix_acl: Clear SGID bit when setting
+file permissions")
+It can test by xfstest generic/375, which failed to clear
+setgid bit in the following test case on tmpfs:
+
+  touch $testfile
+  chown 100:100 $testfile
+  chmod 2755 $testfile
+  _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
+
+CVE: CVE-2017-5551
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+
+Signed-off-by: Gu Zheng <guzheng1@huawei.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/posix_acl.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/fs/posix_acl.c b/fs/posix_acl.c
+index 5955220..c9d48dc 100644
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -922,11 +922,10 @@ int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+        int error;
+ 
+        if (type == ACL_TYPE_ACCESS) {
+-               error = posix_acl_equiv_mode(acl, &inode->i_mode);
+-               if (error < 0)
+-                       return 0;
+-               if (error == 0)
+-                       acl = NULL;
++               error = posix_acl_update_mode(inode,
++                               &inode->i_mode, &acl);
++               if (error)
++                       return error;
+        }
+ 
+        inode->i_ctime = current_time(inode);
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index c3e0f33..cc3e666 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -17,6 +17,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://dts \
            file://CVE-2016-10154.patch \
            file://CVE-2016-10208.patch \
+           file://CVE-2017-5551.patch \
            file://CVE-2017-7487.patch \
            file://CVE-2017-7618.patch \
            file://CVE-2017-7645.patch \