[thirdparty/kernel/stable-queue.git] / releases / 3.1.1 / nfs-sunrpc-don-t-use-a-credential-with-extra-groups.patch

From dc6f55e9f8dac4b6479be67c5c9128ad37bb491f Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Tue, 25 Oct 2011 10:25:49 +1100
Subject: NFS/sunrpc: don't use a credential with extra groups.

From: NeilBrown <neilb@suse.de>

commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream.

The sunrpc layer keeps a cache of recently used credentials and
'unx_match' is used to find the credential which matches the current
process.

However unx_match allows a match when the cached credential has extra
groups at the end of uc_gids list which are not in the process group list.

So if a process with a list of (say) 4 group accesses a file and gains
access because of the last group in the list, then another process
with the same uid and gid, and a gid list being the first tree of the
gids of the original process tries to access the file, it will be
granted access even though it shouldn't as the wrong rpc credential
will be used.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/sunrpc/auth_unix.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/sunrpc/auth_unix.c
+++ b/net/sunrpc/auth_unix.c
@@ -129,6 +129,9 @@ unx_match(struct auth_cred *acred, struc
 	for (i = 0; i < groups ; i++)
 		if (cred->uc_gids[i] != GROUP_AT(acred->group_info, i))
 			return 0;
+	if (groups < NFS_NGROUPS &&
+	    cred->uc_gids[groups] != NOGROUP)
+		return 0;
 	return 1;
 }
Commit	Line	Data
55a56237 GKH	1	From dc6f55e9f8dac4b6479be67c5c9128ad37bb491f Mon Sep 17 00:00:00 2001
	2	From: NeilBrown <neilb@suse.de>
	3	Date: Tue, 25 Oct 2011 10:25:49 +1100
	4	Subject: NFS/sunrpc: don't use a credential with extra groups.
	5
	6	From: NeilBrown <neilb@suse.de>
	7
	8	commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream.
	9
	10	The sunrpc layer keeps a cache of recently used credentials and
	11	'unx_match' is used to find the credential which matches the current
	12	process.
	13
	14	However unx_match allows a match when the cached credential has extra
	15	groups at the end of uc_gids list which are not in the process group list.
	16
	17	So if a process with a list of (say) 4 group accesses a file and gains
	18	access because of the last group in the list, then another process
	19	with the same uid and gid, and a gid list being the first tree of the
	20	gids of the original process tries to access the file, it will be
	21	granted access even though it shouldn't as the wrong rpc credential
	22	will be used.
	23
	24	Signed-off-by: NeilBrown <neilb@suse.de>
	25	Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	27
	28	---
	29	net/sunrpc/auth_unix.c \| 3 +++
	30	1 file changed, 3 insertions(+)
	31
	32	--- a/net/sunrpc/auth_unix.c
	33	+++ b/net/sunrpc/auth_unix.c
	34	@@ -129,6 +129,9 @@ unx_match(struct auth_cred *acred, struc
	35	for (i = 0; i < groups ; i++)
	36	if (cred->uc_gids[i] != GROUP_AT(acred->group_info, i))
	37	return 0;
	38	+ if (groups < NFS_NGROUPS &&
	39	+ cred->uc_gids[groups] != NOGROUP)
	40	+ return 0;
	41	return 1;
	42	}
	43