[linux] 01/01: ovl: fix permission checking for setattr (CVE-2015-8660)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 24 05:43:29 UTC 2015 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit d6b9e3f082d21de953553dda4dde9c641b96714f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Dec 24 06:42:25 2015 +0100

    ovl: fix permission checking for setattr (CVE-2015-8660)
---
 debian/changelog                                   |  4 ++
 .../ovl-fix-permission-checking-for-setattr.patch  | 46 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 51 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f9e4e07..1beea58 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,11 @@
 linux (4.3.3-3) UNRELEASED; urgency=medium
 
+  [ Ben Hutchings ]
   * [ppc64*] drm: Enable DRM_AST as module (Closes: #808338)
 
+  [ Salvatore Bonaccorso ]
+  * ovl: fix permission checking for setattr (CVE-2015-8660)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 18 Dec 2015 20:19:24 +0000
 
 linux (4.3.3-2) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch b/debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch
new file mode 100644
index 0000000..28adeb5
--- /dev/null
+++ b/debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch
@@ -0,0 +1,46 @@
+From: Miklos Szeredi <miklos at szeredi.hu>
+Date: Fri, 4 Dec 2015 19:18:48 +0100
+Subject: ovl: fix permission checking for setattr
+Origin: https://git.kernel.org/linus/acff81ec2c79492b180fade3c2894425cd35a545
+
+[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
+away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
+(with the former being always safe and the latter failing in case of
+insufficient permissions) it tries to combine these two.  Note that copyup
+itself will have to do ->setattr() anyway; _that_ is where the elevated
+capabilities are right.  Having these two ->setattr() (one to set verbatim
+copy of metadata, another to do what overlayfs ->setattr() had been asked
+to do in the first place) combined is where it breaks.
+
+Signed-off-by: Miklos Szeredi <miklos at szeredi.hu>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/overlayfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index ec0c2a0..9612849 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
+ 	if (err)
+ 		goto out;
+ 
+-	upperdentry = ovl_dentry_upper(dentry);
+-	if (upperdentry) {
++	err = ovl_copy_up(dentry);
++	if (!err) {
++		upperdentry = ovl_dentry_upper(dentry);
++
+ 		mutex_lock(&upperdentry->d_inode->i_mutex);
+ 		err = notify_change(upperdentry, attr, NULL);
+ 		mutex_unlock(&upperdentry->d_inode->i_mutex);
+-	} else {
+-		err = ovl_copy_up_last(dentry, attr, false);
+ 	}
+ 	ovl_drop_write(dentry);
+ out:
+-- 
+2.6.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 7bae9d8..a993574 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -105,3 +105,4 @@ bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch
 bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch
 bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
 debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
+bugfix/all/ovl-fix-permission-checking-for-setattr.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list