From d264d7d5247a489dfb6ae8a521c677a46ae42c6a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Mon, 16 Jan 2017 09:30:30 +0100 Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs --- debian/changelog | 1 + ...lear-S_ISGID-when-setting-posix-ACLs.patch | 45 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 47 insertions(+) create mode 100644 debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch diff --git a/debian/changelog b/debian/changelog index cfcca6743..9efc37fc3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -242,6 +242,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * sysctl: Drop reference added by grab_header in proc_sys_readdir (CVE-2016-9191) + * tmpfs: clear S_ISGID when setting posix ACLs -- Salvatore Bonaccorso Mon, 16 Jan 2017 09:26:13 +0100 diff --git a/debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch b/debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch new file mode 100644 index 000000000..faec91e99 --- /dev/null +++ b/debian/patches/bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch @@ -0,0 +1,45 @@ +From: Gu Zheng +Date: Mon, 9 Jan 2017 09:34:48 +0800 +Subject: tmpfs: clear S_ISGID when setting posix ACLs +Origin: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31 + +This change was missed the tmpfs modification in In CVE-2016-7097 +commit 073931017b49 ("posix_acl: Clear SGID bit when setting +file permissions") +It can test by xfstest generic/375, which failed to clear +setgid bit in the following test case on tmpfs: + + touch $testfile + chown 100:100 $testfile + chmod 2755 $testfile + _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile + +Signed-off-by: Gu Zheng +Signed-off-by: Al Viro +--- + fs/posix_acl.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index 5955220..c9d48dc 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -922,11 +922,10 @@ int simple_set_acl(struct inode *inode, struct posix_acl *acl, int type) + int error; + + if (type == ACL_TYPE_ACCESS) { +- error = posix_acl_equiv_mode(acl, &inode->i_mode); +- if (error < 0) +- return 0; +- if (error == 0) +- acl = NULL; ++ error = posix_acl_update_mode(inode, ++ &inode->i_mode, &acl); ++ if (error) ++ return error; + } + + inode->i_ctime = current_time(inode); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index f305704f2..7db06bfe5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -95,6 +95,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/sysctl-Drop-reference-added-by-grab_header-in-proc_s.patch +bugfix/all/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch