[kernel] r15520 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Maximilian Attems maks at alioth.debian.org
Sun Apr 18 03:07:17 UTC 2010 

Author: maks
Date: Sun Apr 18 03:07:03 2010
New Revision: 15520

Log:
add reiserfs fix from opensuse

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/reiserfs-fix-permissions-on-reiserfs_priv.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/12

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Sun Apr 18 00:52:56 2010	(r15519)
+++ dists/sid/linux-2.6/debian/changelog	Sun Apr 18 03:07:03 2010	(r15520)
@@ -27,6 +27,7 @@
   * [ia64] Built in fbcon.
   * Update openvz patch to 6b5607eeec54. (closes: #574598)
   * Reenable nouveau autoloading.
+  * reiserfs: Fix permissions on .reiserfs_priv. CVE-2010-1146
 
   [ dann frazier ]
   * Add DRBD backport

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/reiserfs-fix-permissions-on-reiserfs_priv.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/reiserfs-fix-permissions-on-reiserfs_priv.patch	Sun Apr 18 03:07:03 2010	(r15520)
@@ -0,0 +1,79 @@
+From: Jeff Mahoney <jeffm at suse.com>
+Subject: [PATCH] reiserfs: Fix permissions on .reiserfs_priv
+References: bnc#593906 CVE-2010-1146
+Patch-mainline: Submitted 8 Apr 2010
+
+ Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a removed the magic
+ from the lookup code to hide the .reiserfs_priv directory since it
+ was getting loaded at mount-time instead. The intent was that the
+ entry would be hidden from the user via a poisoned d_compare, but
+ this was faulty.
+
+ This introduced a security issue where unpriviledged users could
+ access and modify extended attributes or ACLs belonging to other
+ users, including root.
+
+ This patch resolves the issue by properly hiding .reiserfs_priv. This
+ was the intent of the xattr poisoning code, but it appears to have
+ never worked as expected. This is fixed by using d_revalidate instead
+ of d_compare.
+
+ This patch makes -oexpose_privroot a no-op. I'm fine leaving it this
+ way. The effort involved in working out the corner cases wrt permissions
+ and caching outweigh the benefit of the feature.
+
+Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+---
+
+ fs/reiserfs/dir.c   |    2 --
+ fs/reiserfs/xattr.c |   17 ++++-------------
+ 2 files changed, 4 insertions(+), 15 deletions(-)
+
+--- a/fs/reiserfs/dir.c
++++ b/fs/reiserfs/dir.c
+@@ -45,8 +45,6 @@ static inline bool is_privroot_deh(struc
+ 				   struct reiserfs_de_head *deh)
+ {
+ 	struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root;
+-	if (reiserfs_expose_privroot(dir->d_sb))
+-		return 0;
+ 	return (dir == dir->d_parent && privroot->d_inode &&
+ 	        deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid);
+ }
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -972,21 +972,13 @@ int reiserfs_permission(struct inode *in
+ 	return generic_permission(inode, mask, NULL);
+ }
+ 
+-/* This will catch lookups from the fs root to .reiserfs_priv */
+-static int
+-xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name)
++static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd)
+ {
+-	struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root;
+-	if (container_of(q1, struct dentry, d_name) == priv_root)
+-		return -ENOENT;
+-	if (q1->len == name->len &&
+-		   !memcmp(q1->name, name->name, name->len))
+-		return 0;
+-	return 1;
++	return -EPERM;
+ }
+ 
+ static const struct dentry_operations xattr_lookup_poison_ops = {
+-	.d_compare = xattr_lookup_poison,
++	.d_revalidate = xattr_hide_revalidate,
+ };
+ 
+ int reiserfs_lookup_privroot(struct super_block *s)
+@@ -1000,8 +992,7 @@ int reiserfs_lookup_privroot(struct supe
+ 				strlen(PRIVROOT_NAME));
+ 	if (!IS_ERR(dentry)) {
+ 		REISERFS_SB(s)->priv_root = dentry;
+-		if (!reiserfs_expose_privroot(s))
+-			s->s_root->d_op = &xattr_lookup_poison_ops;
++		dentry->d_op = &xattr_lookup_poison_ops;
+ 		if (dentry->d_inode)
+ 			dentry->d_inode->i_flags |= S_PRIVATE;
+ 	} else

Modified: dists/sid/linux-2.6/debian/patches/series/12
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/12	Sun Apr 18 00:52:56 2010	(r15519)
+++ dists/sid/linux-2.6/debian/patches/series/12	Sun Apr 18 03:07:03 2010	(r15520)
@@ -7,3 +7,4 @@
 + bugfix/all/drm-i915-Stop-trying-to-use-ACPI-lid-status-to-deter.patch
 + bugfix/all/forcedeth-fix-tx-limit2-flag-check.patch
 - bugfix/all/drivers-gpu-nouveau-no-udev-auto-loading.patch
++ bugfix/all/reiserfs-fix-permissions-on-reiserfs_priv.patch

More information about the Kernel-svn-changes mailing list