CVE-XXXX-XXXX permission bypass on overlayfs (rhbz 1291329 1291332)
This commit is contained in:
parent
616e3f7f4c
commit
0ad765a576
|
@ -633,6 +633,9 @@ Patch572: alua_fix.patch
|
||||||
#CVE-2013-7446 rhbz 1282688 1282712
|
#CVE-2013-7446 rhbz 1282688 1282712
|
||||||
Patch573: unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
|
Patch573: unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
|
||||||
|
|
||||||
|
#CVE-XXXX-XXXX rhbz 1291329 1291332
|
||||||
|
Patch574: ovl-fix-permission-checking-for-setattr.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
@ -2076,6 +2079,9 @@ fi
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 14 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-XXXX-XXXX permission bypass on overlayfs (rhbz 1291329 1291332)
|
||||||
|
|
||||||
* Fri Dec 11 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
* Fri Dec 11 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
- Linux v4.3.2
|
- Linux v4.3.2
|
||||||
- CVE-2013-7446 unix sockects use after free (rhbz 1282688 1282712)
|
- CVE-2013-7446 unix sockects use after free (rhbz 1282688 1282712)
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
From acff81ec2c79492b180fade3c2894425cd35a545 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Miklos Szeredi <miklos@szeredi.hu>
|
||||||
|
Date: Fri, 4 Dec 2015 19:18:48 +0100
|
||||||
|
Subject: [PATCH] ovl: fix permission checking for setattr
|
||||||
|
|
||||||
|
[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr()
|
||||||
|
away - instead of "copy verbatim with metadata" + "chmod/chown/utimes"
|
||||||
|
(with the former being always safe and the latter failing in case of
|
||||||
|
insufficient permissions) it tries to combine these two. Note that copyup
|
||||||
|
itself will have to do ->setattr() anyway; _that_ is where the elevated
|
||||||
|
capabilities are right. Having these two ->setattr() (one to set verbatim
|
||||||
|
copy of metadata, another to do what overlayfs ->setattr() had been asked
|
||||||
|
to do in the first place) combined is where it breaks.
|
||||||
|
|
||||||
|
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
|
||||||
|
Cc: <stable@vger.kernel.org>
|
||||||
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||||
|
---
|
||||||
|
fs/overlayfs/inode.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
|
||||||
|
index ec0c2a050043..961284936917 100644
|
||||||
|
--- a/fs/overlayfs/inode.c
|
||||||
|
+++ b/fs/overlayfs/inode.c
|
||||||
|
@@ -49,13 +49,13 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
|
||||||
|
if (err)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- upperdentry = ovl_dentry_upper(dentry);
|
||||||
|
- if (upperdentry) {
|
||||||
|
+ err = ovl_copy_up(dentry);
|
||||||
|
+ if (!err) {
|
||||||
|
+ upperdentry = ovl_dentry_upper(dentry);
|
||||||
|
+
|
||||||
|
mutex_lock(&upperdentry->d_inode->i_mutex);
|
||||||
|
err = notify_change(upperdentry, attr, NULL);
|
||||||
|
mutex_unlock(&upperdentry->d_inode->i_mutex);
|
||||||
|
- } else {
|
||||||
|
- err = ovl_copy_up_last(dentry, attr, false);
|
||||||
|
}
|
||||||
|
ovl_drop_write(dentry);
|
||||||
|
out:
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
Loading…
Reference in New Issue