diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-22 11:12:26 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-22 12:44:26 +0200 |
| commit | eaa7bd5a148dd74ff93e2d8e65ce774f05405ddf (patch) | |
| tree | 5c6bce9b17f686f49dfa3f57c9af47087c557654 | |
| parent | 80641a060cf6f03e3b13f9c703fe7f91a1f1b3e3 (diff) | |
| download | enea-kernel-cache-eaa7bd5a148dd74ff93e2d8e65ce774f05405ddf.tar.gz | |
CVE-2018-13405
Fix up non-directory creation in SGID directories
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-13405
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=298243a5fb640f018e2fae22c0c895f1b27f0963
Change-Id: Ia5bb134fc9fecf9b9647197073f1a6bba7ae27eb
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch new file mode 100644 index 0000000..d5eb1c0 --- /dev/null +++ b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | From 298243a5fb640f018e2fae22c0c895f1b27f0963 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Linus Torvalds <torvalds@linux-foundation.org> | ||
| 3 | Date: Tue, 3 Jul 2018 17:10:19 -0700 | ||
| 4 | Subject: [PATCH] Fix up non-directory creation in SGID directories | ||
| 5 | |||
| 6 | commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream. | ||
| 7 | |||
| 8 | sgid directories have special semantics, making newly created files in | ||
| 9 | the directory belong to the group of the directory, and newly created | ||
| 10 | subdirectories will also become sgid. This is historically used for | ||
| 11 | group-shared directories. | ||
| 12 | |||
| 13 | But group directories writable by non-group members should not imply | ||
| 14 | that such non-group members can magically join the group, so make sure | ||
| 15 | to clear the sgid bit on non-directories for non-members (but remember | ||
| 16 | that sgid without group execute means "mandatory locking", just to | ||
| 17 | confuse things even more). | ||
| 18 | |||
| 19 | CVE: CVE-2018-13405 | ||
| 20 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=298243a5fb640f018e2fae22c0c895f1b27f0963] | ||
| 21 | |||
| 22 | Reported-by: Jann Horn <jannh@google.com> | ||
| 23 | Cc: Andy Lutomirski <luto@kernel.org> | ||
| 24 | Cc: Al Viro <viro@zeniv.linux.org.uk> | ||
| 25 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
| 26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 27 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 28 | --- | ||
| 29 | fs/inode.c | 6 ++++++ | ||
| 30 | 1 file changed, 6 insertions(+) | ||
| 31 | |||
| 32 | diff --git a/fs/inode.c b/fs/inode.c | ||
| 33 | index e07b3e1f5970..cfc36d11bcb3 100644 | ||
| 34 | --- a/fs/inode.c | ||
| 35 | +++ b/fs/inode.c | ||
| 36 | @@ -2006,8 +2006,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir, | ||
| 37 | inode->i_uid = current_fsuid(); | ||
| 38 | if (dir && dir->i_mode & S_ISGID) { | ||
| 39 | inode->i_gid = dir->i_gid; | ||
| 40 | + | ||
| 41 | + /* Directories are special, and always inherit S_ISGID */ | ||
| 42 | if (S_ISDIR(mode)) | ||
| 43 | mode |= S_ISGID; | ||
| 44 | + else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && | ||
| 45 | + !in_group_p(inode->i_gid) && | ||
| 46 | + !capable_wrt_inode_uidgid(dir, CAP_FSETID)) | ||
| 47 | + mode &= ~S_ISGID; | ||
| 48 | } else | ||
| 49 | inode->i_gid = current_fsgid(); | ||
| 50 | inode->i_mode = mode; | ||
| 51 | -- | ||
| 52 | 2.20.1 | ||
| 53 | |||