From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org, jejb@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Miklos Szeredi <mszeredi@suse.cz>,
Ulrich Drepper <drepper@redhat.com>,
Michael Kerrisk <mtk-manpages@gmx.net>
Subject: [patch 04/16] vfs: fix permission checking in sys_utimensat
Date: Thu, 8 May 2008 10:42:03 -0700 [thread overview]
Message-ID: <20080508174203.GE855@suse.de> (raw)
In-Reply-To: <20080508174122.GA855@suse.de>
[-- Attachment #1: vfs-fix-permission-checking-in-sys_utimensat.patch --]
[-- Type: text/plain, Size: 2235 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Miklos Szeredi <mszeredi@suse.cz>
commit: 02c6be615f1fcd37ac5ed93a3ad6692ad8991cd9 upstream
If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.
I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g. "Why was that large source tree rebuilt
when I didn't modify anything???")
This affects all kernels from 2.6.22, when the utimensat() syscall was
introduced.
Fix by doing the same permission checking as for the "times == NULL" case.
Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in
-mm also fixes this (and breaks other stuff), only he didn't realize the
security implications of this bug.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/utimes.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -39,9 +39,14 @@ asmlinkage long sys_utime(char __user *f
#endif
+static bool nsec_special(long nsec)
+{
+ return nsec == UTIME_OMIT || nsec == UTIME_NOW;
+}
+
static bool nsec_valid(long nsec)
{
- if (nsec == UTIME_OMIT || nsec == UTIME_NOW)
+ if (nsec_special(nsec))
return true;
return nsec >= 0 && nsec <= 999999999;
@@ -115,7 +120,15 @@ long do_utimes(int dfd, char __user *fil
newattrs.ia_mtime.tv_nsec = times[1].tv_nsec;
newattrs.ia_valid |= ATTR_MTIME_SET;
}
- } else {
+ }
+
+ /*
+ * If times is NULL or both times are either UTIME_OMIT or
+ * UTIME_NOW, then need to check permissions, because
+ * inode_change_ok() won't do it.
+ */
+ if (!times || (nsec_special(times[0].tv_nsec) &&
+ nsec_special(times[1].tv_nsec))) {
error = -EACCES;
if (IS_IMMUTABLE(inode))
goto dput_and_out;
--
next prev parent reply other threads:[~2008-05-08 17:45 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080508173436.454278564@mini.kroah.org>
2008-05-08 17:41 ` [patch 00/16] Linux 2.6.25 -stable review Greg KH
2008-05-08 17:41 ` [patch 01/16] 2.6.25 regression: powertop says 120K wakeups/sec Greg KH
2008-05-08 17:41 ` [patch 02/16] mm: fix usemap initialization Greg KH
2008-05-08 17:42 ` [patch 03/16] md: fix use after free when removing rdev via sysfs Greg KH
2008-05-08 17:42 ` Greg KH [this message]
2008-05-08 17:42 ` [patch 05/16] sched: fix hrtick_start_fair and CPU-Hotplug Greg KH
2008-05-08 17:42 ` [patch 06/16] reiserfs: Unpack tails on quota files Greg KH
2008-05-08 17:42 ` [patch 07/16] POWERPC: mpc5200: Fix unterminated of_device_id table Greg KH
2008-05-08 17:42 ` [patch 08/16] b43: Fix dual-PHY devices Greg KH
2008-05-08 17:42 ` Greg KH
2008-05-08 19:38 ` John W. Linville
2008-05-08 17:42 ` [patch 09/16] kprobes/arm: fix cache flush address for instruction stub Greg KH
2008-05-08 17:42 ` [patch 10/16] kprobes/arm: fix decoding of arithmetic immediate instructions Greg KH
2008-05-08 17:42 ` [patch 11/16] b43: Fix some TX/RX locking issues Greg KH
2008-05-08 17:42 ` Greg KH
2008-05-08 20:04 ` John W. Linville
2008-05-08 17:42 ` [patch 12/16] x86 PCI: call dmi_check_pciprobe() Greg KH
2008-05-08 17:42 ` [patch 13/16] CRYPTO: api: Fix scatterwalk_sg_chain Greg KH
2008-05-08 17:42 ` [patch 14/16] CRYPTO: cryptd: Correct kzalloc error test Greg KH
2008-05-08 17:42 ` [patch 15/16] CRYPTO: authenc: Fix async crypto crash in crypto_authenc_genicv() Greg KH
2008-05-08 17:42 ` [patch 16/16] CRYPTO: eseqiv: Fix off-by-one encryption Greg KH
2008-05-08 17:51 ` [patch 00/16] Linux 2.6.25 -stable review Willy Tarreau
2008-05-08 18:20 ` Greg KH
2008-05-08 18:25 ` Greg KH
2008-05-08 18:13 ` Willy Tarreau
2008-05-08 18:22 ` Greg KH
2008-05-08 18:33 ` Willy Tarreau
2008-05-08 19:16 ` Len Brown
2008-05-08 19:43 ` Greg KH
2008-05-09 0:51 ` Li Zefan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080508174203.GE855@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=drepper@redhat.com \
--cc=jejb@kernel.org \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=mszeredi@suse.cz \
--cc=mtk-manpages@gmx.net \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.