[kernel] r10111 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue Jan 15 23:46:19 UTC 2008 

Author: dannf
Date: Tue Jan 15 23:46:19 2008
New Revision: 10111

Log:
* bugfix/vfs-use-access-mode-flag.patch
  [SECURITY] Use the access mode flag instead of the open flag when
  testing access mode for a directory.
  See CVE-2008-0001

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-use-access-mode-flag.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/17etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Jan 15 23:46:19 2008
@@ -3,8 +3,12 @@
   * bugfix/i4l-isdn_ioctl-mem-overrun.patch
     [SECURITY] Fix potential isdn ioctl memory overrun
     See CVE-2007-6151
+  * bugfix/vfs-use-access-mode-flag.patch
+    [SECURITY] Use the access mode flag instead of the open flag when
+    testing access mode for a directory.
+    See CVE-2008-0001
 
- -- dann frazier <dannf at debian.org>  Sat, 05 Jan 2008 17:27:50 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 15 Jan 2008 16:44:15 -0700
 
 linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-use-access-mode-flag.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-use-access-mode-flag.patch	Tue Jan 15 23:46:19 2008
@@ -0,0 +1,52 @@
+From: Linus Torvalds <torvalds at woody.linux-foundation.org>
+Date: Sat, 12 Jan 2008 22:06:34 +0000 (-0800)
+Subject: Use access mode instead of open flags to determine needed permissions
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a
+
+Use access mode instead of open flags to determine needed permissions
+
+Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka
+"VFS: Allow the filesystem to return a full file pointer on open intent"
+to be exact), Trond changed the open logic to keep track of the original
+flags to a file open, in order to pass down the the intent of a dentry
+lookup to the low-level filesystem.
+
+However, when doing that reorganization, it changed the meaning of
+namei_flags, and thus inadvertently changed the test of access mode for
+directories (and RO filesystem) to use the wrong flag.  So fix those
+test back to use access mode ("acc_mode") rather than the open flag
+("flag").
+
+Issue noticed by Bill Roman at Datalight.
+
+Reported-and-tested-by: Bill Roman <bill.roman at datalight.com>
+Acked-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+Acked-by: Al Viro <viro at ZenIV.linux.org.uk>
+Cc: Christoph Hellwig <hch at lst.de>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/fs/namei.c linux-source-2.6.18/fs/namei.c
+--- linux-source-2.6.18.orig/fs/namei.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/namei.c	2008-01-15 16:42:10.000000000 -0700
+@@ -1500,7 +1500,7 @@ int may_open(struct nameidata *nd, int a
+ 	if (S_ISLNK(inode->i_mode))
+ 		return -ELOOP;
+ 	
+-	if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE))
++	if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE))
+ 		return -EISDIR;
+ 
+ 	error = vfs_permission(nd, acc_mode);
+@@ -1519,7 +1519,7 @@ int may_open(struct nameidata *nd, int a
+ 			return -EACCES;
+ 
+ 		flag &= ~O_TRUNC;
+-	} else if (IS_RDONLY(inode) && (flag & FMODE_WRITE))
++	} else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE))
+ 		return -EROFS;
+ 	/*
+ 	 * An append-only file must be opened in append mode for writing.

Modified: dists/etch-security/linux-2.6/debian/patches/series/17etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/17etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/17etch1	Tue Jan 15 23:46:19 2008
@@ -1 +1,2 @@
 + bugfix/i4l-isdn_ioctl-mem-overrun.patch
++ bugfix/vfs-use-access-mode-flag.patch

More information about the Kernel-svn-changes mailing list