[linux] 05/05: fs: Avoid premature clearing of capabilities (CVE-2015-1350)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Nov 16 18:27:12 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit b7117071e03b1cd22cc92e1576f234affec4022c
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sun Nov 13 09:56:16 2016 +0100

    fs: Avoid premature clearing of capabilities (CVE-2015-1350)
    
    Closes: #770492
---
 debian/changelog                                   |  2 +
 ...-Avoid-premature-clearing-of-capabilities.patch | 74 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 77 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 552777c..c31471d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -47,6 +47,8 @@ linux (4.8.8-1) UNRELEASED; urgency=medium
   * ceph: Propagate dentry down to inode_change_ok()
   * fuse: Propagate dentry down to inode_change_ok()
   * fs: Give dentry to inode_change_ok() instead of inode
+  * fs: Avoid premature clearing of capabilities (CVE-2015-1350)
+    (Closes: #770492)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 15 Nov 2016 22:01:08 +0100
 
diff --git a/debian/patches/bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch b/debian/patches/bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
new file mode 100644
index 0000000..85d776f
--- /dev/null
+++ b/debian/patches/bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
@@ -0,0 +1,74 @@
+From: Jan Kara <jack at suse.cz>
+Date: Thu, 26 May 2016 17:21:32 +0200
+Subject: fs: Avoid premature clearing of capabilities
+Origin: https://git.kernel.org/linus/030b533c4fd4d2ec3402363323de4bb2983c9cee
+Debian-Bug: https://bugs.debian.org/770492
+
+Currently, notify_change() clears capabilities or IMA attributes by
+calling security_inode_killpriv() before calling into ->setattr. Thus it
+happens before any other permission checks in inode_change_ok() and user
+is thus allowed to trigger clearing of capabilities or IMA attributes
+for any file he can look up e.g. by calling chown for that file. This is
+unexpected and can lead to user DoSing a system.
+
+Fix the problem by calling security_inode_killpriv() at the end of
+inode_change_ok() instead of from notify_change(). At that moment we are
+sure user has permissions to do the requested change.
+
+References: CVE-2015-1350
+Reviewed-by: Christoph Hellwig <hch at lst.de>
+Signed-off-by: Jan Kara <jack at suse.cz>
+---
+ fs/attr.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/fs/attr.c b/fs/attr.c
+index 5c45909..83c8430 100644
+--- a/fs/attr.c
++++ b/fs/attr.c
+@@ -47,7 +47,7 @@ int setattr_prepare(struct dentry *dentry, struct iattr *attr)
+ 
+ 	/* If force is set do it anyway. */
+ 	if (ia_valid & ATTR_FORCE)
+-		return 0;
++		goto kill_priv;
+ 
+ 	/* Make sure a caller can chown. */
+ 	if ((ia_valid & ATTR_UID) &&
+@@ -80,6 +80,16 @@ int setattr_prepare(struct dentry *dentry, struct iattr *attr)
+ 			return -EPERM;
+ 	}
+ 
++kill_priv:
++	/* User has permission for the change */
++	if (ia_valid & ATTR_KILL_PRIV) {
++		int error;
++
++		error = security_inode_killpriv(dentry);
++		if (error)
++			return error;
++	}
++
+ 	return 0;
+ }
+ EXPORT_SYMBOL(setattr_prepare);
+@@ -220,13 +230,11 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
+ 	if (!(ia_valid & ATTR_MTIME_SET))
+ 		attr->ia_mtime = now;
+ 	if (ia_valid & ATTR_KILL_PRIV) {
+-		attr->ia_valid &= ~ATTR_KILL_PRIV;
+-		ia_valid &= ~ATTR_KILL_PRIV;
+ 		error = security_inode_need_killpriv(dentry);
+-		if (error > 0)
+-			error = security_inode_killpriv(dentry);
+-		if (error)
++		if (error < 0)
+ 			return error;
++		if (error == 0)
++			ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
+ 	}
+ 
+ 	/*
+-- 
+2.10.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 6c1909a..2e51238 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -97,6 +97,7 @@ bugfix/all/xfs-Propagate-dentry-down-to-inode_change_ok.patch
 bugfix/all/ceph-Propagate-dentry-down-to-inode_change_ok.patch
 bugfix/all/fuse-Propagate-dentry-down-to-inode_change_ok.patch
 bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch
+bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
 
 # ABI maintenance
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list