From fd3325b122c8985bc6d0e349e1aee278b56e2d73 Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Fri, 26 Oct 2018 13:43:35 +0200
Subject: CVE-2018-13405

Fix up non-directory creation in SGID directories

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1

Change-Id: Iea3f9c36876310831666a0179be73e20916e590f
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 ...on-directory-creation-in-SGID-directories.patch | 52 ++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch

(limited to 'patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch')

diff --git a/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
new file mode 100644
index 0000000..17bd471
--- /dev/null
+++ b/patches/cve/CVE-2018-13405-Fix-up-non-directory-creation-in-SGID-directories.patch
@@ -0,0 +1,52 @@
+From d2c7c52431819aa05d76fae77bb3f95dd0955da1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 3 Jul 2018 17:10:19 -0700
+Subject: [PATCH] Fix up non-directory creation in SGID directories
+
+commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 upstream.
+
+sgid directories have special semantics, making newly created files in
+the directory belong to the group of the directory, and newly created
+subdirectories will also become sgid.  This is historically used for
+group-shared directories.
+
+But group directories writable by non-group members should not imply
+that such non-group members can magically join the group, so make sure
+to clear the sgid bit on non-directories for non-members (but remember
+that sgid without group execute means "mandatory locking", just to
+confuse things even more).
+
+CVE: CVE-2018-13405
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=d2c7c52431819aa05d76fae77bb3f95dd0955da1]
+
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index 920aa0b1c6b0..2071ff5343c5 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -2003,8 +2003,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
+ 	inode->i_uid = current_fsuid();
+ 	if (dir && dir->i_mode & S_ISGID) {
+ 		inode->i_gid = dir->i_gid;
++
++		/* Directories are special, and always inherit S_ISGID */
+ 		if (S_ISDIR(mode))
+ 			mode |= S_ISGID;
++		else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
++			 !in_group_p(inode->i_gid) &&
++			 !capable_wrt_inode_uidgid(dir, CAP_FSETID))
++			mode &= ~S_ISGID;
+ 	} else
+ 		inode->i_gid = current_fsgid();
+ 	inode->i_mode = mode;
+
+
-- 
cgit v1.2.3-54-g00ecf