[kernel] r12289 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

[Dann Frazier]

Author: dannf
Date: Tue Oct  7 06:12:22 2008
New Revision: 12289

Log:
bugfix/remove-SUID-when-splicing-into-an-inode.patch
Remove SUID when splicing into an inode
See CVE-2008-3833

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/remove-SUID-when-splicing-into-an-inode.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/22etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Oct  7 06:12:22 2008
@@ -15,8 +15,11 @@
   * bugfix/splice-fix-bad-unlock_page-in-error-case.patch
     Don't attempt to unlock a page if add_to_page_cache_lru fails
     See CVE-2008-4302
+  * bugfix/remove-SUID-when-splicing-into-an-inode.patch
+    Remove SUID when splicing into an inode
+    See CVE-2008-3833
 
- -- dann frazier <dannf at debian.org>  Fri, 03 Oct 2008 16:51:58 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 03 Oct 2008 17:22:53 -0600
 
 linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/remove-SUID-when-splicing-into-an-inode.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/remove-SUID-when-splicing-into-an-inode.patch	Tue Oct  7 06:12:22 2008
@@ -0,0 +1,51 @@
+commit 8c34e2d63231d4bf4852bac8521883944d770fe3
+Author: Jens Axboe <jens.axboe at oracle.com>
+Date:   Tue Oct 17 19:43:22 2006 +0200
+
+    [PATCH] Remove SUID when splicing into an inode
+    
+    Originally from Mark Fasheh <mark.fasheh at oracle.com>
+    
+    generic_file_splice_write() does not remove S_ISUID or S_ISGID. This is
+    inconsistent with the way we generally write to files.
+    
+    Signed-off-by: Mark Fasheh <mark.fasheh at oracle.com>
+    Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+--- linux-source-2.6.18.orig/fs/splice.c	2008-10-03 17:14:24.000000000 -0600
++++ linux-source-2.6.18/fs/splice.c	2008-10-03 17:18:35.000000000 -0600
+@@ -827,12 +827,21 @@
+ 			  loff_t *ppos, size_t len, unsigned int flags)
+ {
+ 	struct address_space *mapping = out->f_mapping;
++	struct inode *inode = mapping->host;
+ 	ssize_t ret;
++	int err;
++
++	err = should_remove_suid(out->f_dentry);
++	if (unlikely(err)) {
++		mutex_lock(&inode->i_mutex);
++		err = __remove_suid(out->f_dentry, err);
++		mutex_unlock(&inode->i_mutex);
++		if (err)
++			return err;
++       }
+ 
+ 	ret = splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_file);
+ 	if (ret > 0) {
+-		struct inode *inode = mapping->host;
+-
+ 		*ppos += ret;
+ 
+ 		/*
+@@ -840,8 +849,6 @@
+ 		 * sync it.
+ 		 */
+ 		if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) {
+-			int err;
+-
+ 			mutex_lock(&inode->i_mutex);
+ 			err = generic_osync_inode(inode, mapping,
+ 						  OSYNC_METADATA|OSYNC_DATA);

Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3	Tue Oct  7 06:12:22 2008
@@ -4,3 +4,4 @@
 + bugfix/lockless-helpers-for-remove_suid.patch
 + bugfix/open-allows-sgid-in-sgid-directory.patch
 + bugfix/splice-fix-bad-unlock_page-in-error-case.patch
++ bugfix/remove-SUID-when-splicing-into-an-inode.patch