* [4.4.y PATCH] Revert "ovl: modify ovl_permission() to do checks on two inodes"
@ 2020-02-04 18:49 Ioanna Alifieraki
2020-02-07 10:13 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Ioanna Alifieraki @ 2020-02-04 18:49 UTC (permalink / raw)
To: ioanna.alifieraki, jay.vosburgh, miklos, linux-unionfs,
linux-kernel, stable, gregkh, srivatsa
This reverts commit b24be4acd17a8963a29b2a92e1d80b9ddf759c95.
Commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
inodes") (stable kernel id) breaks r/w access in overlayfs when setting
ACL to files, in 4.4 stable kernel. There is an available reproducer in
[1].
To reproduce the issue :
$./make-overlay.sh
$./test.sh
st_mode is 100644
open failed: -1
cat: /tmp/overlay/animal: Permission denied <---- Breaks access
-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
There are two options to fix this; (a) backport commit ce31513a9114
("ovl: copyattr after setting POSIX ACL") to 4.4 or (b) revert offending
commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
inodes"). Following option (a) entails high risk of regression since
commit ce31513a9114 ("ovl: copyattr after setting POSIX ACL") has many
dependencies on other commits that need to be backported too (~18
commits).
This patch proceeds with reverting commit b24be4acd17a ("ovl: modify
ovl_permission() to do checks on two inodes"). The reverted commit is
associated with CVE-2018-16597, however the test-script provided in [3]
shows that 4.4 kernel is NOT affected by this cve and therefore it's
safe to revert it.
The offending commit was introduced upstream in v4.8-rc1. At this point
had nothing to do with any CVE. It was related with CVE-2018-16597 as
it was the fix for bug [2]. Later on it was backported to stable 4.4.
The test-script [3] tests whether 4.4 kernel is affected by
CVE-2018-16597. It tests the reproducer found in [2] plus a few more
cases. The correct output of the script is failure with "Permission
denied" when a normal user tries to overwrite root owned files. For
more details please refer to [4].
[1] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
[2] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
[3] https://launchpadlibrarian.net/459694705/test_overlay_permission.sh
[4] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243
Signed-off-by: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
---
fs/overlayfs/inode.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 060482e349ef..013d27dc6f58 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -9,7 +9,6 @@
#include <linux/fs.h>
#include <linux/slab.h>
-#include <linux/cred.h>
#include <linux/xattr.h>
#include "overlayfs.h"
@@ -92,7 +91,6 @@ int ovl_permission(struct inode *inode, int mask)
struct ovl_entry *oe;
struct dentry *alias = NULL;
struct inode *realinode;
- const struct cred *old_cred;
struct dentry *realdentry;
bool is_upper;
int err;
@@ -145,18 +143,7 @@ int ovl_permission(struct inode *inode, int mask)
goto out_dput;
}
- /*
- * Check overlay inode with the creds of task and underlying inode
- * with creds of mounter
- */
- err = generic_permission(inode, mask);
- if (err)
- goto out_dput;
-
- old_cred = ovl_override_creds(inode->i_sb);
err = __inode_permission(realinode, mask);
- revert_creds(old_cred);
-
out_dput:
dput(alias);
return err;
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [4.4.y PATCH] Revert "ovl: modify ovl_permission() to do checks on two inodes"
2020-02-04 18:49 [4.4.y PATCH] Revert "ovl: modify ovl_permission() to do checks on two inodes" Ioanna Alifieraki
@ 2020-02-07 10:13 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2020-02-07 10:13 UTC (permalink / raw)
To: Ioanna Alifieraki
Cc: ioanna.alifieraki, jay.vosburgh, miklos, linux-unionfs,
linux-kernel, stable, srivatsa
On Tue, Feb 04, 2020 at 06:49:58PM +0000, Ioanna Alifieraki wrote:
> This reverts commit b24be4acd17a8963a29b2a92e1d80b9ddf759c95.
>
> Commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two
> inodes") (stable kernel id) breaks r/w access in overlayfs when setting
> ACL to files, in 4.4 stable kernel. There is an available reproducer in
> [1].
Thanks, now reverted.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-07 10:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-04 18:49 [4.4.y PATCH] Revert "ovl: modify ovl_permission() to do checks on two inodes" Ioanna Alifieraki
2020-02-07 10:13 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.