[kernel] r12276 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Thu Oct 2 05:35:58 UTC 2008

Author: dannf
Date: Thu Oct  2 05:35:55 2008
New Revision: 12276

Log:
* bugfix/open-allows-sgid-in-sgid-directory.patch
  Prevent open() creating file with wrong permissions
  See CVE-2008-4210

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/lockless-helpers-for-remove_suid.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/open-allows-sgid-in-sgid-directory.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/22etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Oct  2 05:35:55 2008
@@ -9,8 +9,11 @@
   * bugfix/wan-sbni_ioctl-cap-checks.patch
     Add missing capability checks in sbni_ioctl
     See CVE-2008-3525
+  * bugfix/open-allows-sgid-in-sgid-directory.patch
+    Prevent open() creating file with wrong permissions
+    See CVE-2008-4210
 
- -- dann frazier <dannf at debian.org>  Fri, 19 Sep 2008 11:03:22 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 27 Sep 2008 11:03:22 -0600
 
 linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/lockless-helpers-for-remove_suid.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/lockless-helpers-for-remove_suid.patch	Thu Oct  2 05:35:55 2008
@@ -0,0 +1,82 @@
+commit 01de85e057328ecbef36e108673b1e81059d54c1
+Author: Jens Axboe <jens.axboe at oracle.com>
+Date:   Tue Oct 17 19:50:36 2006 +0200
+
+    [PATCH] Add lockless helpers for remove_suid()
+    
+    Right now users have to grab i_mutex before calling remove_suid(), in the
+    unlikely event that a call to ->setattr() may be needed. Split up the
+    function in two parts:
+    
+    - One to check if we need to remove suid
+    - One to actually remove it
+    
+    The first we can call lockless.
+    
+    Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index d695ba2..2fe6e3f 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1712,6 +1712,8 @@ extern void __iget(struct inode * inode);
+ extern void clear_inode(struct inode *);
+ extern void destroy_inode(struct inode *);
+ extern struct inode *new_inode(struct super_block *);
++extern int __remove_suid(struct dentry *, int);
++extern int should_remove_suid(struct dentry *);
+ extern int remove_suid(struct dentry *);
+ extern void remove_dquot_ref(struct super_block *, int, struct list_head *);
+ 
+diff --git a/mm/filemap.c b/mm/filemap.c
+index 3464b68..7c7addb 100644
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -1884,11 +1884,10 @@ repeat:
+  *	if suid or (sgid and xgrp)
+  *		remove privs
+  */
+-int remove_suid(struct dentry *dentry)
++int should_remove_suid(struct dentry *dentry)
+ {
+ 	mode_t mode = dentry->d_inode->i_mode;
+ 	int kill = 0;
+-	int result = 0;
+ 
+ 	/* suid always must be killed */
+ 	if (unlikely(mode & S_ISUID))
+@@ -1901,13 +1900,28 @@ int remove_suid(struct dentry *dentry)
+ 	if (unlikely((mode & S_ISGID) && (mode & S_IXGRP)))
+ 		kill |= ATTR_KILL_SGID;
+ 
+-	if (unlikely(kill && !capable(CAP_FSETID))) {
+-		struct iattr newattrs;
++	if (unlikely(kill && !capable(CAP_FSETID)))
++		return kill;
+ 
+-		newattrs.ia_valid = ATTR_FORCE | kill;
+-		result = notify_change(dentry, &newattrs);
+-	}
+-	return result;
++	return 0;
++}
++
++int __remove_suid(struct dentry *dentry, int kill)
++{
++	struct iattr newattrs;
++
++	newattrs.ia_valid = ATTR_FORCE | kill;
++	return notify_change(dentry, &newattrs);
++}
++
++int remove_suid(struct dentry *dentry)
++{
++	int kill = should_remove_suid(dentry);
++
++	if (unlikely(kill))
++		return __remove_suid(dentry, kill);
++
++	return 0;
+ }
+ EXPORT_SYMBOL(remove_suid);
+ 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/open-allows-sgid-in-sgid-directory.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/open-allows-sgid-in-sgid-directory.patch	Thu Oct  2 05:35:55 2008
@@ -0,0 +1,26 @@
+commit 7b82dc0e64e93f430182f36b46b79fcee87d3532
+Author: Linus Torvalds <torvalds at woody.linux-foundation.org>
+Date:   Tue May 8 20:10:00 2007 -0700
+
+    Remove suid/sgid bits on [f]truncate()
+    
+    .. to match what we do on write().  This way, people who write to files
+    by using [f]truncate + writable mmap have the same semantics as if they
+    were using the write() family of system calls.
+    
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/open.c b/fs/open.c
+index ca9981c..0d515d1 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -210,6 +210,9 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
+ 		newattrs.ia_valid |= ATTR_FILE;
+ 	}
+ 
++	/* Remove suid/sgid on truncate too */
++	newattrs.ia_valid |= should_remove_suid(dentry);
++
+ 	mutex_lock(&dentry->d_inode->i_mutex);
+ 	err = notify_change(dentry, &newattrs);
+ 	mutex_unlock(&dentry->d_inode->i_mutex);

Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3	Thu Oct  2 05:35:55 2008
@@ -1,3 +1,5 @@
 + bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
 + bugfix/dio-zero-struct-dio-with-kzalloc-instead-of-manually.patch
 + bugfix/wan-sbni_ioctl-cap-checks.patch
++ bugfix/lockless-helpers-for-remove_suid.patch
++ bugfix/open-allows-sgid-in-sgid-directory.patch

