Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-07-06 20:03:57 +0200
committerTakashi Iwai <tiwai@suse.de>2018-07-06 20:03:57 +0200
commit5e898b1bfef24f0ccda949028a5f2509b958327d (patch)
treeca02fc270ff47c44db312d7c2b0e90f3bf5f146c
parent29386ceb95409b087cc3770d4d70450a0d3d9dba (diff)
parentd1314725964bd66928b1d181f018059387f118fe (diff)
Merge branch 'users/rgoldwyn/cve/linux-4.4/for-next' into SLE12-SP3
-rw-r--r--patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch52
-rw-r--r--series.conf1
2 files changed, 53 insertions, 0 deletions
diff --git a/patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch b/patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
new file mode 100644
index 0000000000..c134ec42aa
--- /dev/null
+++ b/patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
@@ -0,0 +1,52 @@
+From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 3 Jul 2018 17:10:19 -0700
+Subject: [PATCH] Fix up non-directory creation in SGID directories
+References: CVE-2018-13405, bsc#1100416
+Git-commit: 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+
+sgid directories have special semantics, making newly created files in
+the directory belong to the group of the directory, and newly created
+subdirectories will also become sgid. This is historically used for
+group-shared directories.
+
+But group directories writable by non-group members should not imply
+that such non-group members can magically join the group, so make sure
+to clear the sgid bit on non-directories for non-members (but remember
+that sgid without group execute means "mandatory locking", just to
+confuse things even more).
+
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index 75309374dcdc..2b18d30b458c 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1943,8 +1943,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
+ inode->i_uid = current_fsuid();
+ if (dir && dir->i_mode & S_ISGID) {
+ inode->i_gid = dir->i_gid;
++
++ /* Directories are special, and always inherit S_ISGID */
+ if (S_ISDIR(mode))
+ mode |= S_ISGID;
++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
++ !in_group_p(inode->i_gid) &&
++ !capable_wrt_inode_uidgid(dir, CAP_FSETID))
++ mode &= ~S_ISGID;
+ } else
+ inode->i_gid = current_fsgid();
+ inode->i_mode = mode;
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index fee054ddbd..89e518668d 100644
--- a/series.conf
+++ b/series.conf
@@ -6476,6 +6476,7 @@
patches.suse/mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch
patches.suse/mm-page_alloc.c-apply-gfp_allowed_mask-before-the-first-allocation-attempt.patch
+ patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
# MADV_FREE
patches.suse/mm-support-madvise-MADV_FREE.patch