From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 Feb 2020 10:27:47 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.19.103~99
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8dfd9694c1fa125c709c799a088da75d035b9375;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	revert-ovl-modify-ovl_permission-to-do-checks-on-two-inodes.patch
---

diff --git a/queue-4.4/revert-ovl-modify-ovl_permission-to-do-checks-on-two-inodes.patch b/queue-4.4/revert-ovl-modify-ovl_permission-to-do-checks-on-two-inodes.patch
new file mode 100644
index 00000000000..2a4bc52f1fe
--- /dev/null
+++ b/queue-4.4/revert-ovl-modify-ovl_permission-to-do-checks-on-two-inodes.patch
@@ -0,0 +1,97 @@
+From ioanna-maria.alifieraki@canonical.com  Fri Feb  7 11:12:37 2020
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Date: Tue,  4 Feb 2020 18:49:58 +0000
+Subject: Revert "ovl: modify ovl_permission() to do checks on two inodes"
+To: ioanna.alifieraki@gmail.com, jay.vosburgh@canonical.com, miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, gregkh@linuxfoundation.org, srivatsa@csail.mit.edu
+Message-ID: <20200204184958.6586-1-ioanna-maria.alifieraki@canonical.com>
+
+From: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+
+This reverts commit b24be4acd17a8963a29b2a92e1d80b9ddf759c95 which is commit
+c0ca3d70e8d3cf81e2255a217f7ca402f5ed0862 upstream.
+
+Commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
+inodes") (stable kernel  id) breaks r/w access in overlayfs when setting
+ACL to files, in 4.4 stable kernel. There is an available reproducer in
+[1].
+
+To reproduce the issue :
+$./make-overlay.sh
+$./test.sh
+st_mode is 100644
+open failed: -1
+cat: /tmp/overlay/animal: Permission denied <---- Breaks access
+-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
+
+There are two options to fix this; (a) backport commit ce31513a9114
+("ovl: copyattr after setting POSIX ACL") to 4.4 or (b) revert offending
+commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
+inodes"). Following option (a) entails high risk of regression since
+commit ce31513a9114 ("ovl: copyattr after setting POSIX ACL") has many
+dependencies on other commits that need to be backported too (~18
+commits).
+
+This patch proceeds with reverting commit b24be4acd17a ("ovl: modify
+ovl_permission() to do checks on two inodes").  The reverted commit is
+associated with CVE-2018-16597, however the test-script provided in [3]
+shows that 4.4 kernel is  NOT affected by this cve and therefore it's
+safe to revert it.
+
+The offending commit was introduced upstream in v4.8-rc1. At this point
+had nothing to do with any CVE.  It was related with CVE-2018-16597 as
+it was the fix for bug [2]. Later on it was backported to stable 4.4.
+
+The test-script [3] tests whether 4.4 kernel is affected by
+CVE-2018-16597. It tests the reproducer found in [2] plus a few more
+cases. The correct output of the script is failure with "Permission
+denied" when a normal user tries to overwrite root owned files.  For
+more details please refer to [4].
+
+[1] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
+[2] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
+[3] https://launchpadlibrarian.net/459694705/test_overlay_permission.sh
+[4] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243
+
+Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/inode.c |   13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -9,7 +9,6 @@
+ 
+ #include <linux/fs.h>
+ #include <linux/slab.h>
+-#include <linux/cred.h>
+ #include <linux/xattr.h>
+ #include "overlayfs.h"
+ 
+@@ -92,7 +91,6 @@ int ovl_permission(struct inode *inode,
+ 	struct ovl_entry *oe;
+ 	struct dentry *alias = NULL;
+ 	struct inode *realinode;
+-	const struct cred *old_cred;
+ 	struct dentry *realdentry;
+ 	bool is_upper;
+ 	int err;
+@@ -145,18 +143,7 @@ int ovl_permission(struct inode *inode,
+ 			goto out_dput;
+ 	}
+ 
+-	/*
+-	 * Check overlay inode with the creds of task and underlying inode
+-	 * with creds of mounter
+-	 */
+-	err = generic_permission(inode, mask);
+-	if (err)
+-		goto out_dput;
+-
+-	old_cred = ovl_override_creds(inode->i_sb);
+ 	err = __inode_permission(realinode, mask);
+-	revert_creds(old_cred);
+-
+ out_dput:
+ 	dput(alias);
+ 	return err;
diff --git a/queue-4.4/series b/queue-4.4/series
index c6e566cc503..09acde4b2ca 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -21,3 +21,4 @@ pci-keystone-fix-link-training-retries-initiation.patch
 crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
 scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
 power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
+revert-ovl-modify-ovl_permission-to-do-checks-on-two-inodes.patch