CVE-2018-13405

Fix up non-directory creation in SGID directories

References:
https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

Change-Id: Ia7dac6a7721e48900f93ff492f4d3c54114a0d08

2 files changed, 52 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 0121888..6de2c9b 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -35,3 +35,5 @@ patch CVE-2018-10881-ext4-clear-i_data-in-ext4_inode_info-when-removing-i.patch
 patch CVE-2018-10882-ext4-add-more-inode-number-paranoia-checks.patch
 patch CVE-2018-9516-HID-debug-check-length-before-copy_to_user.patch
 
+#CVEs fixed in 4.9.113:
+patch CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
diff --git a/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
new file mode 100644
index 0000000..58022b3
--- /dev/null
+++ b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
@@ -0,0 +1,50 @@
+From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 3 Jul 2018 17:10:19 -0700
+Subject: [PATCH] Fix up non-directory creation in SGID directories
+
+sgid directories have special semantics, making newly created files in
+the directory belong to the group of the directory, and newly created
+subdirectories will also become sgid.  This is historically used for
+group-shared directories.
+
+But group directories writable by non-group members should not imply
+that such non-group members can magically join the group, so make sure
+to clear the sgid bit on non-directories for non-members (but remember
+that sgid without group execute means "mandatory locking", just to
+confuse things even more).
+
+CVE: CVE-2018-11237   
+Upstream-Status: Backport  
+
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index 2c300e9..8c86c80 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
+        inode->i_uid = current_fsuid();
+        if (dir && dir->i_mode & S_ISGID) {
+                inode->i_gid = dir->i_gid;
++
++               /* Directories are special, and always inherit S_ISGID */
+                if (S_ISDIR(mode))
+                        mode |= S_ISGID;
++               else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
++                        !in_group_p(inode->i_gid) &&
++                        !capable_wrt_inode_uidgid(dir, CAP_FSETID))
++                       mode &= ~S_ISGID;
+        } else
+                inode->i_gid = current_fsgid();
+        inode->i_mode = mode;
+-- 
+
+