diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 10:06:00 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 10:06:00 +0000 |
| commit | b15a952c52a6825376d3e7f6c1bf5c886c6d8b74 (patch) | |
| tree | 1500f2f8f276908a36d8126cb632c0d6b1276764 /debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch | |
| parent | Adding upstream version 5.10.209. (diff) | |
| download | linux-b15a952c52a6825376d3e7f6c1bf5c886c6d8b74.tar.xz linux-b15a952c52a6825376d3e7f6c1bf5c886c6d8b74.zip | |
Adding debian version 5.10.209-2.debian/5.10.209-2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch')
| -rw-r--r-- | debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch b/debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch new file mode 100644 index 000000000..d6f698251 --- /dev/null +++ b/debian/patches/bugfix/all/vfs-move-cap_convert_nscap-call-into-vfs_setxattr.patch @@ -0,0 +1,100 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Mon, 14 Dec 2020 15:26:13 +0100 +Subject: vfs: move cap_convert_nscap() call into vfs_setxattr() +Origin: https://git.kernel.org/linus/7c03e2cda4a584cadc398e8f6641ca9988a39d52 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-3493 + +cap_convert_nscap() does permission checking as well as conversion of the +xattr value conditionally based on fs's user-ns. + +This is needed by overlayfs and probably other layered fs (ecryptfs) and is +what vfs_foo() is supposed to do anyway. + +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Acked-by: James Morris <jamorris@linux.microsoft.com> +--- + fs/xattr.c | 17 +++++++++++------ + include/linux/capability.h | 2 +- + security/commoncap.c | 3 +-- + 3 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/fs/xattr.c b/fs/xattr.c +index cd7a563e8bcd..fd57153b1f61 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -276,8 +276,16 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, + { + struct inode *inode = dentry->d_inode; + struct inode *delegated_inode = NULL; ++ const void *orig_value = value; + int error; + ++ if (size && strcmp(name, XATTR_NAME_CAPS) == 0) { ++ error = cap_convert_nscap(dentry, &value, size); ++ if (error < 0) ++ return error; ++ size = error; ++ } ++ + retry_deleg: + inode_lock(inode); + error = __vfs_setxattr_locked(dentry, name, value, size, flags, +@@ -289,6 +297,9 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value, + if (!error) + goto retry_deleg; + } ++ if (value != orig_value) ++ kfree(value); ++ + return error; + } + EXPORT_SYMBOL_GPL(vfs_setxattr); +@@ -537,12 +548,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value, + if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) + posix_acl_fix_xattr_from_user(kvalue, size); +- else if (strcmp(kname, XATTR_NAME_CAPS) == 0) { +- error = cap_convert_nscap(d, &kvalue, size); +- if (error < 0) +- goto out; +- size = error; +- } + } + + error = vfs_setxattr(d, kname, kvalue, size, flags); +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..b2f698915c0f 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -270,6 +270,6 @@ static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) + /* audit system wants to get cap info from files as well */ + extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); + +-extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size); ++extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size); + + #endif /* !_LINUX_CAPABILITY_H */ +diff --git a/security/commoncap.c b/security/commoncap.c +index 59bf3c1674c8..bacc1111d871 100644 +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -473,7 +473,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap) + * + * If all is ok, we return the new size, on error return < 0. + */ +-int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) ++int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size) + { + struct vfs_ns_cap_data *nscap; + uid_t nsrootid; +@@ -516,7 +516,6 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) + nscap->magic_etc = cpu_to_le32(nsmagic); + memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); + +- kvfree(*ivalue); + *ivalue = nscap; + return newsize; + } +-- +2.31.0 + |