Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 311724 Details for
Bug 455275
CVE-2008-2148 kernel: fix permission checking in sys_utimensat
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed upstream patch
vfs-fix-permission-checking-in-sys_utimensat.patch (text/plain), 2.31 KB, created by
Eugene Teo (Security Response)
on 2008-07-14 16:27:15 UTC
(
hide
)
Description:
Proposed upstream patch
Filename:
MIME Type:
Creator:
Eugene Teo (Security Response)
Created:
2008-07-14 16:27:15 UTC
Size:
2.31 KB
patch
obsolete
>From 02c6be615f1fcd37ac5ed93a3ad6692ad8991cd9 Mon Sep 17 00:00:00 2001 >From: Miklos Szeredi <mszeredi@suse.cz> >Date: Thu, 1 May 2008 04:34:45 -0700 >Subject: [PATCH] vfs: fix permission checking in sys_utimensat > >If utimensat() is called with both times set to UTIME_NOW or one of them to >UTIME_NOW and the other to UTIME_OMIT, then it will update the file time >without any permission checking. > >I don't think this can be used for anything other than a local DoS, but could >be quite bewildering at that (e.g. "Why was that large source tree rebuilt >when I didn't modify anything???") > >This affects all kernels from 2.6.22, when the utimensat() syscall was >introduced. > >Fix by doing the same permission checking as for the "times == NULL" case. > >Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in >-mm also fixes this (and breaks other stuff), only he didn't realize the >security implications of this bug. > >Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> >Cc: Ulrich Drepper <drepper@redhat.com> >Cc: Michael Kerrisk <mtk-manpages@gmx.net> >Cc: <stable@kernel.org> >Signed-off-by: Andrew Morton <akpm@linux-foundation.org> >Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> >--- > fs/utimes.c | 17 +++++++++++++++-- > 1 files changed, 15 insertions(+), 2 deletions(-) > >diff --git a/fs/utimes.c b/fs/utimes.c >index a2bef77..af059d5 100644 >--- a/fs/utimes.c >+++ b/fs/utimes.c >@@ -40,9 +40,14 @@ asmlinkage long sys_utime(char __user *filename, struct utimbuf __user *times) > > #endif > >+static bool nsec_special(long nsec) >+{ >+ return nsec == UTIME_OMIT || nsec == UTIME_NOW; >+} >+ > static bool nsec_valid(long nsec) > { >- if (nsec == UTIME_OMIT || nsec == UTIME_NOW) >+ if (nsec_special(nsec)) > return true; > > return nsec >= 0 && nsec <= 999999999; >@@ -119,7 +124,15 @@ long do_utimes(int dfd, char __user *filename, struct timespec *times, int flags > newattrs.ia_mtime.tv_nsec = times[1].tv_nsec; > newattrs.ia_valid |= ATTR_MTIME_SET; > } >- } else { >+ } >+ >+ /* >+ * If times is NULL or both times are either UTIME_OMIT or >+ * UTIME_NOW, then need to check permissions, because >+ * inode_change_ok() won't do it. >+ */ >+ if (!times || (nsec_special(times[0].tv_nsec) && >+ nsec_special(times[1].tv_nsec))) { > error = -EACCES; > if (IS_IMMUTABLE(inode)) > goto mnt_drop_write_and_out; >-- >1.5.5.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=311724">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 455275
: 311724