kernel/CVE-2018-13405.patch

From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 3 Jul 2018 17:10:19 -0700
Subject: [PATCH] Fix up non-directory creation in SGID directories

sgid directories have special semantics, making newly created files in
the directory belong to the group of the directory, and newly created
subdirectories will also become sgid.  This is historically used for
group-shared directories.

But group directories writable by non-group members should not imply
that such non-group members can magically join the group, so make sure
to clear the sgid bit on non-directories for non-members (but remember
that sgid without group execute means "mandatory locking", just to
confuse things even more).

Reported-by: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
 fs/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/inode.c b/fs/inode.c
index 2c300e981796..8c86c809ca17 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
 	inode->i_uid = current_fsuid();
 	if (dir && dir->i_mode & S_ISGID) {
 		inode->i_gid = dir->i_gid;
+
+		/* Directories are special, and always inherit S_ISGID */
 		if (S_ISDIR(mode))
 			mode |= S_ISGID;
+		else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
+			 !in_group_p(inode->i_gid) &&
+			 !capable_wrt_inode_uidgid(dir, CAP_FSETID))
+			mode &= ~S_ISGID;
 	} else
 		inode->i_gid = current_fsgid();
 	inode->i_mode = mode;
-- 
2.17.1
Linux v4.17.5 2018-07-09 16:01:10 +00:00			`From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001`
			`From: Linus Torvalds <torvalds@linux-foundation.org>`
			`Date: Tue, 3 Jul 2018 17:10:19 -0700`
			`Subject: [PATCH] Fix up non-directory creation in SGID directories`

			`sgid directories have special semantics, making newly created files in`
			`the directory belong to the group of the directory, and newly created`
			`subdirectories will also become sgid. This is historically used for`
			`group-shared directories.`

			`But group directories writable by non-group members should not imply`
			`that such non-group members can magically join the group, so make sure`
			`to clear the sgid bit on non-directories for non-members (but remember`
			`that sgid without group execute means "mandatory locking", just to`
			`confuse things even more).`

			`Reported-by: Jann Horn <jannh@google.com>`
			`Cc: Andy Lutomirski <luto@kernel.org>`
			`Cc: Al Viro <viro@zeniv.linux.org.uk>`
			`Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>`
			`Signed-off-by: Jeremy Cline <jcline@redhat.com>`
			`---`
			`fs/inode.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/fs/inode.c b/fs/inode.c`
			`index 2c300e981796..8c86c809ca17 100644`
			`--- a/fs/inode.c`
			`+++ b/fs/inode.c`
			`@@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode inode, const struct inode dir,`
			`inode->i_uid = current_fsuid();`
			`if (dir && dir->i_mode & S_ISGID) {`
			`inode->i_gid = dir->i_gid;`
			`+`
			`+ /* Directories are special, and always inherit S_ISGID */`
			`if (S_ISDIR(mode))`
			`mode \|= S_ISGID;`
			`+ else if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP) &&`
			`+ !in_group_p(inode->i_gid) &&`
			`+ !capable_wrt_inode_uidgid(dir, CAP_FSETID))`
			`+ mode &= ~S_ISGID;`
			`} else`
			`inode->i_gid = current_fsgid();`
			`inode->i_mode = mode;`
			`--`
			`2.17.1`