From: Greg KH <gregkh@linuxfoundation.org>
To: Mark Salyzyn <salyzyn@android.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
aneesh.kumar@linux.vnet.ibm.com, Jan Kara <jack@suse.cz>
Subject: Re: CVE-2016-7097 causes acl leak
Date: Tue, 13 Dec 2016 16:00:05 -0800 [thread overview]
Message-ID: <20161214000005.GA29963@kroah.com> (raw)
In-Reply-To: <5c0398cb-9ef2-42f3-0c46-e2e65fe92da9@android.com>
On Tue, Dec 13, 2016 at 03:42:58PM -0800, Mark Salyzyn wrote:
> On 12/12/2016 10:26 PM, Cong Wang wrote:
> > On Mon, Dec 12, 2016 at 4:26 PM, Mark Salyzyn <salyzyn@android.com> wrote:
> > > The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.
> >
> > Only the 9p case is obvious to me:
> >
> > diff --git a/fs/9p/acl.c b/fs/9p/acl.c
> > index b3c2cc7..082d227 100644
> > --- a/fs/9p/acl.c
> > +++ b/fs/9p/acl.c
> > @@ -277,6 +277,7 @@ static int v9fs_xattr_set_acl(const struct
> > xattr_handler *handler,
> > case ACL_TYPE_ACCESS:
> > if (acl) {
> > struct iattr iattr;
> > + struct posix_acl *old_acl = acl;
> >
> > retval = posix_acl_update_mode(inode,
> > &iattr.ia_mode, &acl);
> > if (retval)
> > @@ -287,6 +288,7 @@ static int v9fs_xattr_set_acl(const struct
> > xattr_handler *handler,
> > * by the mode bits. So don't
> > * update ACL.
> > */
> > + posix_acl_release(old_acl);
> > value = NULL;
> > size = 0;
> > }
> >
> >
> > The rest are anti-pattern (modifying parameters on stack via address)
> > but look correct.
>
> Greg KH: Beware that this similar fix needs to be applied to _backports_ to
> stable kernel trees on other filesystem driver that have the same pattern
> (with local posix_acl_release(acl) calls). I have found that depending on
> vintage these would include this driver 9p, and possibly gfs2, jfs and xfs.
> Be aware.
I don't understand what you mean here. What needs to be "backported" to
the stable tree? What commit in Linus's tree do I pick? If not a
commit there, where is it?
totally confused,
greg k-h
next prev parent reply other threads:[~2016-12-14 0:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 17:16 CVE-2016-7097 causes acl leak Mark Salyzyn
2016-12-11 18:48 ` Greg KH
2016-12-12 0:34 ` Cong Wang
2016-12-12 10:46 ` Jan Kara
2016-12-12 21:10 ` Cong Wang
2016-12-13 0:26 ` Mark Salyzyn
2016-12-13 6:26 ` Cong Wang
2016-12-13 11:28 ` Jan Kara
2016-12-13 23:56 ` Cong Wang
2016-12-13 15:55 ` Mark Salyzyn
2016-12-13 16:07 ` Jan Kara
2016-12-13 23:42 ` Mark Salyzyn
2016-12-14 0:00 ` Greg KH [this message]
2016-12-14 20:20 ` Mark Salyzyn
2016-12-14 23:30 ` Greg KH
2016-12-15 15:22 ` Mark Salyzyn
2016-12-15 16:32 ` Jan Kara
2016-12-13 11:17 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161214000005.GA29963@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=salyzyn@android.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox