--- /dev/null
+From ioanna-maria.alifieraki@canonical.com Fri Feb 7 11:12:37 2020
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Date: Tue, 4 Feb 2020 18:49:58 +0000
+Subject: Revert "ovl: modify ovl_permission() to do checks on two inodes"
+To: ioanna.alifieraki@gmail.com, jay.vosburgh@canonical.com, miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, gregkh@linuxfoundation.org, srivatsa@csail.mit.edu
+Message-ID: <20200204184958.6586-1-ioanna-maria.alifieraki@canonical.com>
+
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+
+This reverts commit b24be4acd17a8963a29b2a92e1d80b9ddf759c95 which is commit
+c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 upstream.
+
+Commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
+inodes") (stable kernel id) breaks r/w access in overlayfs when setting
+ACL to files, in 4.4 stable kernel. There is an available reproducer in
+[1].
+
+To reproduce the issue :
+$./make-overlay.sh
+$./test.sh
+st_mode is 100644
+open failed: -1
+cat: /tmp/overlay/animal: Permission denied <---- Breaks access
+-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
+
+There are two options to fix this; (a) backport commit ce31513a9114
+("ovl: copyattr after setting POSIX ACL") to 4.4 or (b) revert offending
+commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
+inodes"). Following option (a) entails high risk of regression since
+commit ce31513a9114 ("ovl: copyattr after setting POSIX ACL") has many
+dependencies on other commits that need to be backported too (~18
+commits).
+
+This patch proceeds with reverting commit b24be4acd17a ("ovl: modify
+ovl_permission() to do checks on two inodes"). The reverted commit is
+associated with CVE-2018-16597, however the test-script provided in [3]
+shows that 4.4 kernel is NOT affected by this cve and therefore it's
+safe to revert it.
+
+The offending commit was introduced upstream in v4.8-rc1. At this point
+had nothing to do with any CVE. It was related with CVE-2018-16597 as
+it was the fix for bug [2]. Later on it was backported to stable 4.4.
+
+The test-script [3] tests whether 4.4 kernel is affected by
+CVE-2018-16597. It tests the reproducer found in [2] plus a few more
+cases. The correct output of the script is failure with "Permission
+denied" when a normal user tries to overwrite root owned files. For
+more details please refer to [4].
+
+[1] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
+[2] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
+[3] https://launchpadlibrarian.net/459694705/test_overlay_permission.sh
+[4] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243
+
+Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -9,7 +9,6 @@
+
+ #include <linux/fs.h>
+ #include <linux/slab.h>
+-#include <linux/cred.h>
+ #include <linux/xattr.h>
+ #include "overlayfs.h"
+
+@@ -92,7 +91,6 @@ int ovl_permission(struct inode *inode,
+ struct ovl_entry *oe;
+ struct dentry *alias = NULL;
+ struct inode *realinode;
+- const struct cred *old_cred;
+ struct dentry *realdentry;
+ bool is_upper;
+ int err;
+@@ -145,18 +143,7 @@ int ovl_permission(struct inode *inode,
+ goto out_dput;
+ }
+
+- /*
+- * Check overlay inode with the creds of task and underlying inode
+- * with creds of mounter
+- */
+- err = generic_permission(inode, mask);
+- if (err)
+- goto out_dput;
+-
+- old_cred = ovl_override_creds(inode->i_sb);
+ err = __inode_permission(realinode, mask);
+- revert_creds(old_cred);
+-
+ out_dput:
+ dput(alias);
+ return err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
