From: Mark Salyzyn <salyzyn@android.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
aneesh.kumar@linux.vnet.ibm.com, Jan Kara <jack@suse.cz>,
Greg KH <gregkh@linuxfoundation.org>
Subject: Re: CVE-2016-7097 causes acl leak
Date: Tue, 13 Dec 2016 15:42:58 -0800 [thread overview]
Message-ID: <5c0398cb-9ef2-42f3-0c46-e2e65fe92da9@android.com> (raw)
In-Reply-To: <CAM_iQpUp2rFhsu+VZ_FN5RJyTA69mEbqvFju2+0O2VjeLKj5jg@mail.gmail.com>
On 12/12/2016 10:26 PM, Cong Wang wrote:
> On Mon, Dec 12, 2016 at 4:26 PM, Mark Salyzyn <salyzyn@android.com> wrote:
>> The leaks were introduced in 9p, gfs2, jfs and xfs drivers only.
>
> Only the 9p case is obvious to me:
>
> diff --git a/fs/9p/acl.c b/fs/9p/acl.c
> index b3c2cc7..082d227 100644
> --- a/fs/9p/acl.c
> +++ b/fs/9p/acl.c
> @@ -277,6 +277,7 @@ static int v9fs_xattr_set_acl(const struct
> xattr_handler *handler,
> case ACL_TYPE_ACCESS:
> if (acl) {
> struct iattr iattr;
> + struct posix_acl *old_acl = acl;
>
> retval = posix_acl_update_mode(inode,
> &iattr.ia_mode, &acl);
> if (retval)
> @@ -287,6 +288,7 @@ static int v9fs_xattr_set_acl(const struct
> xattr_handler *handler,
> * by the mode bits. So don't
> * update ACL.
> */
> + posix_acl_release(old_acl);
> value = NULL;
> size = 0;
> }
>
>
> The rest are anti-pattern (modifying parameters on stack via address)
> but look correct.
Greg KH: Beware that this similar fix needs to be applied to _backports_
to stable kernel trees on other filesystem driver that have the same
pattern (with local posix_acl_release(acl) calls). I have found that
depending on vintage these would include this driver 9p, and possibly
gfs2, jfs and xfs. Be aware.
Sincerely -- Mark Salyzyn
next prev parent reply other threads:[~2016-12-13 23:43 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 17:16 CVE-2016-7097 causes acl leak Mark Salyzyn
2016-12-11 18:48 ` Greg KH
2016-12-12 0:34 ` Cong Wang
2016-12-12 10:46 ` Jan Kara
2016-12-12 21:10 ` Cong Wang
2016-12-13 0:26 ` Mark Salyzyn
2016-12-13 6:26 ` Cong Wang
2016-12-13 11:28 ` Jan Kara
2016-12-13 23:56 ` Cong Wang
2016-12-13 15:55 ` Mark Salyzyn
2016-12-13 16:07 ` Jan Kara
2016-12-13 23:42 ` Mark Salyzyn [this message]
2016-12-14 0:00 ` Greg KH
2016-12-14 20:20 ` Mark Salyzyn
2016-12-14 23:30 ` Greg KH
2016-12-15 15:22 ` Mark Salyzyn
2016-12-15 16:32 ` Jan Kara
2016-12-13 11:17 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5c0398cb-9ef2-42f3-0c46-e2e65fe92da9@android.com \
--to=salyzyn@android.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox