diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2015-12-24 06:42:25 +0100 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2015-12-24 06:42:25 +0100 |
| commit | d6b9e3f082d21de953553dda4dde9c641b96714f (patch) | |
| tree | b8a72ad57ccc29f1c3e7129d24c07c9c9af76dd2 | |
| parent | 8571d54a8b7a2cebdba0a317a813f8b7c3ed2bc6 (diff) | |
| download | kernel_replicant_linux-d6b9e3f082d21de953553dda4dde9c641b96714f.tar.gz kernel_replicant_linux-d6b9e3f082d21de953553dda4dde9c641b96714f.tar.bz2 kernel_replicant_linux-d6b9e3f082d21de953553dda4dde9c641b96714f.zip | |
ovl: fix permission checking for setattr (CVE-2015-8660)
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch | 46 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 51 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index f9e4e0715331..1beea58bf657 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,11 @@ linux (4.3.3-3) UNRELEASED; urgency=medium + [ Ben Hutchings ] * [ppc64*] drm: Enable DRM_AST as module (Closes: #808338) + [ Salvatore Bonaccorso ] + * ovl: fix permission checking for setattr (CVE-2015-8660) + -- Ben Hutchings <ben@decadent.org.uk> Fri, 18 Dec 2015 20:19:24 +0000 linux (4.3.3-2) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch b/debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch new file mode 100644 index 000000000000..28adeb5b2cc5 --- /dev/null +++ b/debian/patches/bugfix/all/ovl-fix-permission-checking-for-setattr.patch @@ -0,0 +1,46 @@ +From: Miklos Szeredi <miklos@szeredi.hu> +Date: Fri, 4 Dec 2015 19:18:48 +0100 +Subject: ovl: fix permission checking for setattr +Origin: https://git.kernel.org/linus/acff81ec2c79492b180fade3c2894425cd35a545 + +[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr() +away - instead of "copy verbatim with metadata" + "chmod/chown/utimes" +(with the former being always safe and the latter failing in case of +insufficient permissions) it tries to combine these two. Note that copyup +itself will have to do ->setattr() anyway; _that_ is where the elevated +capabilities are right. Having these two ->setattr() (one to set verbatim +copy of metadata, another to do what overlayfs ->setattr() had been asked +to do in the first place) combined is where it breaks. + +Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> +Cc: <stable@vger.kernel.org> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +--- + fs/overlayfs/inode.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c +index ec0c2a0..9612849 100644 +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr) + if (err) + goto out; + +- upperdentry = ovl_dentry_upper(dentry); +- if (upperdentry) { ++ err = ovl_copy_up(dentry); ++ if (!err) { ++ upperdentry = ovl_dentry_upper(dentry); ++ + mutex_lock(&upperdentry->d_inode->i_mutex); + err = notify_change(upperdentry, attr, NULL); + mutex_unlock(&upperdentry->d_inode->i_mutex); +- } else { +- err = ovl_copy_up_last(dentry, attr, false); + } + ovl_drop_write(dentry); + out: +-- +2.6.4 + diff --git a/debian/patches/series b/debian/patches/series index 7bae9d83f52d..a993574e4d0a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -105,3 +105,4 @@ bugfix/all/revert-vrf-fix-double-free-and-memory-corruption-on-.patch bugfix/all/vrf-fix-double-free-and-memory-corruption-on-registe.patch bugfix/all/tipc-fix-kfree_skb-of-uninitialised-pointer.patch debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch +bugfix/all/ovl-fix-permission-checking-for-setattr.patch |