From: Greg KH <gregkh@linuxfoundation.org>
To: Sheng Yong <shengyong1@huawei.com>
Cc: stable@vger.kernel.org, fdmanana@suse.com
Subject: Re: [request for 3.10 inclusion][PATCH 3/3] Btrfs: make xattr replace operations atomic
Date: Mon, 29 Jun 2015 17:19:56 -0700 [thread overview]
Message-ID: <20150630001956.GA6430@kroah.com> (raw)
In-Reply-To: <1433297367-122419-4-git-send-email-shengyong1@huawei.com>
On Wed, Jun 03, 2015 at 02:09:27AM +0000, Sheng Yong wrote:
> From: Filipe Manana <fdmanana@suse.com>
>
> commit 5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 upstream.
>
> Replacing a xattr consists of doing a lookup for its existing value, delete
> the current value from the respective leaf, release the search path and then
> finally insert the new value. This leaves a time window where readers (getxattr,
> listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs,
> so this has security implications.
>
> This change also fixes 2 other existing issues which were:
>
> *) Deleting the old xattr value without verifying first if the new xattr will
> fit in the existing leaf item (in case multiple xattrs are packed in the
> same item due to name hash collision);
>
> *) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't
> exist but we have have an existing item that packs muliple xattrs with
> the same name hash as the input xattr. In this case we should return ENOSPC.
>
> A test case for xfstests follows soon.
>
> Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace
> implementation.
>
> Reported-by: Alexandre Oliva <oliva@gnu.org>
> Signed-off-by: Filipe Manana <fdmanana@suse.com>
> Signed-off-by: Chris Mason <clm@fb.com>
> [shengyong: backport to 3.10
> - FIX: CVE-2014-9710
> - adjust context
> - ASSERT() was added v3.12, so we do check with if statement
> - set the first parameter of btrfs_item_nr() as NULL, because it is not
> used, and is removed in v3.13
> ]
> Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Thanks, I've also added this to 3.14-stable.
greg k-h
next prev parent reply other threads:[~2015-06-30 0:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-03 2:09 [request for 3.10 inclusion][PATCH 0/3] Address 3 CVEs Sheng Yong
2015-06-03 2:09 ` [request for 3.10 inclusion][PATCH 1/3] fs: take i_mutex during prepare_binprm for set[ug]id executables Sheng Yong
2015-06-03 2:09 ` [request for 3.10 inclusion][PATCH 2/3] x86/microcode/intel: Guard against stack overflow in the loader Sheng Yong
2015-06-03 2:09 ` [request for 3.10 inclusion][PATCH 3/3] Btrfs: make xattr replace operations atomic Sheng Yong
2015-06-30 0:19 ` Greg KH [this message]
2015-06-23 7:12 ` [request for 3.10 inclusion][PATCH 0/3] Address 3 CVEs Sheng Yong
2015-06-30 0:20 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150630001956.GA6430@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=fdmanana@suse.com \
--cc=shengyong1@huawei.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.