fs: Fix up non-directory creation in SGID directories (CVE-2018-13405)
This commit is contained in:
parent
90c6b3eab9
commit
bedf220e50
|
@ -289,6 +289,7 @@ linux (4.17.5-1) UNRELEASED; urgency=medium
|
|||
tools for the host architecture
|
||||
- linux-image: Install symlinks to boot wrapper tools instead of the
|
||||
native tools built by kbuild
|
||||
* fs: Fix up non-directory creation in SGID directories (CVE-2018-13405)
|
||||
|
||||
-- Sjoerd Simons <sjoerd@debian.org> Wed, 04 Jul 2018 10:25:57 +0200
|
||||
|
||||
|
|
42
debian/patches/bugfix/all/fix-up-non-directory-creation-in-sgid-directories.patch
vendored
Normal file
42
debian/patches/bugfix/all/fix-up-non-directory-creation-in-sgid-directories.patch
vendored
Normal file
|
@ -0,0 +1,42 @@
|
|||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Tue, 3 Jul 2018 17:10:19 -0700
|
||||
Subject: Fix up non-directory creation in SGID directories
|
||||
Origin: https://git.kernel.org/linus/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13405
|
||||
|
||||
sgid directories have special semantics, making newly created files in
|
||||
the directory belong to the group of the directory, and newly created
|
||||
subdirectories will also become sgid. This is historically used for
|
||||
group-shared directories.
|
||||
|
||||
But group directories writable by non-group members should not imply
|
||||
that such non-group members can magically join the group, so make sure
|
||||
to clear the sgid bit on non-directories for non-members (but remember
|
||||
that sgid without group execute means "mandatory locking", just to
|
||||
confuse things even more).
|
||||
|
||||
Reported-by: Jann Horn <jannh@google.com>
|
||||
Cc: Andy Lutomirski <luto@kernel.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/inode.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
--- a/fs/inode.c
|
||||
+++ b/fs/inode.c
|
||||
@@ -2014,8 +2014,14 @@ void inode_init_owner(struct inode *inod
|
||||
inode->i_uid = current_fsuid();
|
||||
if (dir && dir->i_mode & S_ISGID) {
|
||||
inode->i_gid = dir->i_gid;
|
||||
+
|
||||
+ /* Directories are special, and always inherit S_ISGID */
|
||||
if (S_ISDIR(mode))
|
||||
mode |= S_ISGID;
|
||||
+ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
|
||||
+ !in_group_p(inode->i_gid) &&
|
||||
+ !capable_wrt_inode_uidgid(dir, CAP_FSETID))
|
||||
+ mode &= ~S_ISGID;
|
||||
} else
|
||||
inode->i_gid = current_fsgid();
|
||||
inode->i_mode = mode;
|
|
@ -145,6 +145,7 @@ bugfix/all/jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch
|
|||
bugfix/all/ext4-avoid-running-out-of-journal-credits-when-appen.patch
|
||||
bugfix/all/ext4-add-more-inode-number-paranoia-checks.patch
|
||||
bugfix/all/jfs-fix-inconsistency-between-memory-allocation-and-.patch
|
||||
bugfix/all/fix-up-non-directory-creation-in-sgid-directories.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue