From 591ebc4c77e9483d25d1528a45e1f0d617048164 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 14 Jan 2008 13:32:42 -0800 Subject: [PATCH] 2.6.22.16 and 2.6.13.14 release --- releases/2.6.22.16/series | 1 + ...lags-to-determine-needed-permissions.patch | 55 +++++++++++++++++++ ...lags-to-determine-needed-permissions.patch | 55 +++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 releases/2.6.22.16/series create mode 100644 releases/2.6.22.16/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch create mode 100644 releases/2.6.23.14/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch diff --git a/releases/2.6.22.16/series b/releases/2.6.22.16/series new file mode 100644 index 00000000000..9d50f2e91d1 --- /dev/null +++ b/releases/2.6.22.16/series @@ -0,0 +1 @@ +use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch diff --git a/releases/2.6.22.16/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch b/releases/2.6.22.16/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch new file mode 100644 index 00000000000..b70ce3a3a35 --- /dev/null +++ b/releases/2.6.22.16/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch @@ -0,0 +1,55 @@ +From 974a9f0b47da74e28f68b9c8645c3786aa5ace1a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 12 Jan 2008 14:06:34 -0800 +Subject: Use access mode instead of open flags to determine needed permissions (CVE-2008-0001) + +From: Linus Torvalds + +patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline + +Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka +"VFS: Allow the filesystem to return a full file pointer on open intent" +to be exact), Trond changed the open logic to keep track of the original +flags to a file open, in order to pass down the the intent of a dentry +lookup to the low-level filesystem. + +However, when doing that reorganization, it changed the meaning of +namei_flags, and thus inadvertently changed the test of access mode for +directories (and RO filesystem) to use the wrong flag. So fix those +test back to use access mode ("acc_mode") rather than the open flag +("flag"). + +Issue noticed by Bill Roman at Datalight. + +Reported-and-tested-by: Bill Roman +Acked-by: Trond Myklebust +Acked-by: Al Viro +Cc: Christoph Hellwig +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1543,7 +1543,7 @@ int may_open(struct nameidata *nd, int a + if (S_ISLNK(inode->i_mode)) + return -ELOOP; + +- if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE)) ++ if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE)) + return -EISDIR; + + error = vfs_permission(nd, acc_mode); +@@ -1562,7 +1562,7 @@ int may_open(struct nameidata *nd, int a + return -EACCES; + + flag &= ~O_TRUNC; +- } else if (IS_RDONLY(inode) && (flag & FMODE_WRITE)) ++ } else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE)) + return -EROFS; + /* + * An append-only file must be opened in append mode for writing. diff --git a/releases/2.6.23.14/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch b/releases/2.6.23.14/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch new file mode 100644 index 00000000000..1e01731fb84 --- /dev/null +++ b/releases/2.6.23.14/use-access-mode-instead-of-open-flags-to-determine-needed-permissions.patch @@ -0,0 +1,55 @@ +From 974a9f0b47da74e28f68b9c8645c3786aa5ace1a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 12 Jan 2008 14:06:34 -0800 +Subject: Use access mode instead of open flags to determine needed permissions (CVE-2008-0001) + +From: Linus Torvalds + +patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline + +Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka +"VFS: Allow the filesystem to return a full file pointer on open intent" +to be exact), Trond changed the open logic to keep track of the original +flags to a file open, in order to pass down the the intent of a dentry +lookup to the low-level filesystem. + +However, when doing that reorganization, it changed the meaning of +namei_flags, and thus inadvertently changed the test of access mode for +directories (and RO filesystem) to use the wrong flag. So fix those +test back to use access mode ("acc_mode") rather than the open flag +("flag"). + +Issue noticed by Bill Roman at Datalight. + +Reported-and-tested-by: Bill Roman +Acked-by: Trond Myklebust +Acked-by: Al Viro +Cc: Christoph Hellwig +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1576,7 +1576,7 @@ int may_open(struct nameidata *nd, int a + if (S_ISLNK(inode->i_mode)) + return -ELOOP; + +- if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE)) ++ if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE)) + return -EISDIR; + + error = vfs_permission(nd, acc_mode); +@@ -1595,7 +1595,7 @@ int may_open(struct nameidata *nd, int a + return -EACCES; + + flag &= ~O_TRUNC; +- } else if (IS_RDONLY(inode) && (flag & FMODE_WRITE)) ++ } else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE)) + return -EROFS; + /* + * An append-only file must be opened in append mode for writing. -- 2.47.3