[PATCH 4.19 0/1] Fix CVE-2021-3493

[PATCH 4.19 0/1] Fix CVE-2021-3493

[hsimeliere.opensource]

https://nvd.nist.gov/vuln/detail/CVE-2021-3493

[PATCH 4.19 1/1] vfs: move cap_convert_nscap() call into vfs_setxattr()

[hsimeliere.opensource]

From: Miklos Szeredi <mszeredi@redhat.com>

commit 7c03e2cda4a584cadc398e8f6641ca9988a39d52 upstream.

cap_convert_nscap() does permission checking as well as conversion of the
xattr value conditionally based on fs's user-ns.

This is needed by overlayfs and probably other layered fs (ecryptfs) and is
what vfs_foo() is supposed to do anyway.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
 fs/xattr.c                 | 17 +++++++++++------
 include/linux/capability.h |  2 +-
 security/commoncap.c       |  3 +--
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/fs/xattr.c b/fs/xattr.c
index 5c3407e18e15..aa66b4efef6b 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -248,8 +248,16 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
 {
 	struct inode *inode = dentry->d_inode;
 	struct inode *delegated_inode = NULL;
+	const void  *orig_value = value;
 	int error;
 
+	if (size && strcmp(name, XATTR_NAME_CAPS) == 0) {
+		error = cap_convert_nscap(dentry, &value, size);
+		if (error < 0)
+			return error;
+		size = error;
+	}
+
 retry_deleg:
 	inode_lock(inode);
 	error = __vfs_setxattr_locked(dentry, name, value, size, flags,
@@ -261,6 +269,9 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
 		if (!error)
 			goto retry_deleg;
 	}
+	if (value != orig_value)
+		kfree(value);
+
 	return error;
 }
 EXPORT_SYMBOL_GPL(vfs_setxattr);
@@ -509,12 +520,6 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
 		if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
 		    (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
 			posix_acl_fix_xattr_from_user(kvalue, size);
-		else if (strcmp(kname, XATTR_NAME_CAPS) == 0) {
-			error = cap_convert_nscap(d, &kvalue, size);
-			if (error < 0)
-				goto out;
-			size = error;
-		}
 	}
 
 	error = vfs_setxattr(d, kname, kvalue, size, flags);
diff --git a/include/linux/capability.h b/include/linux/capability.h
index f640dcbc880c..9fee9a86505c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -249,6 +249,6 @@ extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
 /* audit system wants to get cap info from files as well */
 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
 
-extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size);
+extern int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size);
 
 #endif /* !_LINUX_CAPABILITY_H */
diff --git a/security/commoncap.c b/security/commoncap.c
index 28b204eacc7a..0e9f543d05f5 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -500,7 +500,7 @@ static bool validheader(size_t size, const struct vfs_cap_data *cap)
  *
  * If all is ok, we return the new size, on error return < 0.
  */
-int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
+int cap_convert_nscap(struct dentry *dentry, const void **ivalue, size_t size)
 {
 	struct vfs_ns_cap_data *nscap;
 	uid_t nsrootid;
@@ -543,7 +543,6 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
 	nscap->magic_etc = cpu_to_le32(nsmagic);
 	memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
 
-	kvfree(*ivalue);
 	*ivalue = nscap;
 	return newsize;
 }
-- 
2.43.0

Re: [PATCH 4.19 1/1] vfs: move cap_convert_nscap() call into vfs_setxattr()

[Greg KH]

On Thu, Aug 29, 2024 at 06:26:21PM +0200, hsimeliere.opensource@witekio.com wrote:
> From: Miklos Szeredi <mszeredi@redhat.com>
> 
> commit 7c03e2cda4a584cadc398e8f6641ca9988a39d52 upstream.
> 
> cap_convert_nscap() does permission checking as well as conversion of the
> xattr value conditionally based on fs's user-ns.
> 
> This is needed by overlayfs and probably other layered fs (ecryptfs) and is
> what vfs_foo() is supposed to do anyway.
> 
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> Acked-by: James Morris <jamorris@linux.microsoft.com>
> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
> ---
>  fs/xattr.c                 | 17 +++++++++++------
>  include/linux/capability.h |  2 +-
>  security/commoncap.c       |  3 +--
>  3 files changed, 13 insertions(+), 9 deletions(-)

Again, we can not take chagnes for only older kernels and not newer
ones.  Please resend for all applicable releases.

thanks,

greg k-h

Re: [PATCH 4.19 0/1] Fix CVE-2021-3493

[Greg KH]

On Thu, Aug 29, 2024 at 06:26:20PM +0200, hsimeliere.opensource@witekio.com wrote:
> 
> https://nvd.nist.gov/vuln/detail/CVE-2021-3493
> 

This "bug" was only applicable to Ubuntu kernel releases, why are you
thinking that it should be backported to kernel.org releases?

Please only send us fixes that are relevant for our kernel trees.

thanks,

greg k-h

Re: [PATCH 4.19 1/1] vfs: move cap_convert_nscap() call into vfs_setxattr()

[hsimeliere.opensource]

Ok so if a bug is fixed in version 5.15, we have to send the correction patches for version 5.10, 5.4 and 4.19 for it to be taken into account for version 4.19?

I'm sorry for the scope error on this bug, I'll be more attentive on the next ones. In order to send only corrections related to this kernel tree

thanks,
Hugo SIMELIERE

Re: [PATCH 4.19 1/1] vfs: move cap_convert_nscap() call into vfs_setxattr()

[Greg KH]

On Thu, Aug 29, 2024 at 06:53:12PM +0200, hsimeliere.opensource@witekio.com wrote:
> Ok so if a bug is fixed in version 5.15, we have to send the
> correction patches for version 5.10, 5.4 and 4.19 for it to be taken
> into account for version 4.19?

Yes.

> I'm sorry for the scope error on this bug, I'll be more attentive on
> the next ones. In order to send only corrections related to this
> kernel tree

No problem, thanks for doing this work.

greg k-h