From: Mark Salyzyn <salyzyn@android.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
aneesh.kumar@linux.vnet.ibm.com, Jan Kara <jack@suse.cz>
Subject: Re: CVE-2016-7097 causes acl leak
Date: Wed, 14 Dec 2016 12:20:50 -0800 [thread overview]
Message-ID: <3db72683-e810-38f8-87c8-dc7fa6a50aa6@android.com> (raw)
In-Reply-To: <20161214000005.GA29963@kroah.com>
On 12/13/2016 04:00 PM, Greg KH wrote:
> On Tue, Dec 13, 2016 at 03:42:58PM -0800, Mark Salyzyn wrote:
>> On 12/12/2016 10:26 PM, Cong Wang wrote:
>>> On Mon, Dec 12, 2016 at 4:26 PM, Mark Salyzyn <salyzyn@android.com> wrote:
>>>> The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.
>>> Only the 9p case is obvious to me:
>>>
>>> diff --git a/fs/9p/acl.c b/fs/9p/acl.c
>>> index b3c2cc7..082d227 100644
>>> --- a/fs/9p/acl.c
>>> +++ b/fs/9p/acl.c
>>> @@ -277,6 +277,7 @@ static int v9fs_xattr_set_acl(const struct
>>> xattr_handler *handler,
>>> case ACL_TYPE_ACCESS:
>>> if (acl) {
>>> struct iattr iattr;
>>> + struct posix_acl *old_acl = acl;
>>>
>>> retval = posix_acl_update_mode(inode,
>>> &iattr.ia_mode, &acl);
>>> if (retval)
>>> @@ -287,6 +288,7 @@ static int v9fs_xattr_set_acl(const struct
>>> xattr_handler *handler,
>>> * by the mode bits. So don't
>>> * update ACL.
>>> */
>>> + posix_acl_release(old_acl);
>>> value = NULL;
>>> size = 0;
>>> }
>>>
>>>
>>> The rest are anti-pattern (modifying parameters on stack via address)
>>> but look correct.
>> Greg KH: Beware that this similar fix needs to be applied to _backports_ to
>> stable kernel trees on other filesystem driver that have the same pattern
>> (with local posix_acl_release(acl) calls). I have found that depending on
>> vintage these would include this driver 9p, and possibly gfs2, jfs and xfs.
>> Be aware.
> I don't understand what you mean here. What needs to be "backported" to
> the stable tree? What commit in Linus's tree do I pick? If not a
> commit there, where is it?
>
> totally confused,
>
> greg k-h
In 3.10-stable if you took the original CVE-2016-7097 fix it could break
four file system drivers, the fix for each would 'look like' this one
fix for the 9p driver.
-- Mark
next prev parent reply other threads:[~2016-12-14 20:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 17:16 CVE-2016-7097 causes acl leak Mark Salyzyn
2016-12-11 18:48 ` Greg KH
2016-12-12 0:34 ` Cong Wang
2016-12-12 10:46 ` Jan Kara
2016-12-12 21:10 ` Cong Wang
2016-12-13 0:26 ` Mark Salyzyn
2016-12-13 6:26 ` Cong Wang
2016-12-13 11:28 ` Jan Kara
2016-12-13 23:56 ` Cong Wang
2016-12-13 15:55 ` Mark Salyzyn
2016-12-13 16:07 ` Jan Kara
2016-12-13 23:42 ` Mark Salyzyn
2016-12-14 0:00 ` Greg KH
2016-12-14 20:20 ` Mark Salyzyn [this message]
2016-12-14 23:30 ` Greg KH
2016-12-15 15:22 ` Mark Salyzyn
2016-12-15 16:32 ` Jan Kara
2016-12-13 11:17 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3db72683-e810-38f8-87c8-dc7fa6a50aa6@android.com \
--to=salyzyn@android.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox