Summary: |
CVE-2009-4131 kernel: ext4: Fix insufficient checks in EXT4_IOC_MOVE_EXT |
Product: |
[Other] Security Response
|
Reporter: |
Eugene Teo (Security Response) <eteo> |
Component: |
vulnerability | Assignee: |
Red Hat Product Security <security-response-team> |
Status: |
CLOSED
ERRATA
|
QA Contact: |
|
Severity: |
high
|
Docs Contact: |
|
Priority: |
high
|
|
|
Version: |
unspecified | CC: |
arozansk, cebbert, davej, esandeen, fche, jlieskov, jpirko, kyle, lwang, mjc, rcvalle, security-response-team, the.ridikulus.rat
|
Target Milestone: |
--- | Keywords: |
Security |
Target Release: |
--- | |
|
Hardware: |
All | |
|
OS: |
Linux | |
|
Whiteboard: |
|
Fixed In Version:
|
|
Doc Type:
|
Bug Fix
|
Doc Text:
|
|
Story Points:
|
---
|
Clone Of:
|
|
Environment:
|
|
Last Closed:
|
2010-12-21 22:06:50 UTC
|
Type:
|
---
|
Regression:
|
---
|
Mount Type:
|
---
|
Documentation:
|
---
|
CRM:
|
|
Verified Versions:
|
|
Category:
|
---
|
oVirt Team:
|
---
|
RHEL 7.3 requirements from Atomic Host:
|
|
Cloudforms Team:
|
---
|
Target Upstream Version:
|
|
Embargoed:
|
|
| |
Bug Depends On: |
546105
|
|
|
Bug Blocks: |
|
|
|
Description of problem: >From 910123ba363623f15ffb5d05dd87bdf06d08c609 Mon Sep 17 00:00:00 2001 From: Akira Fujita <a-fujita.nec.com> Date: Sun, 6 Dec 2009 23:38:31 -0500 Subject: [PATCH] ext4: Fix insufficient checks in EXT4_IOC_MOVE_EXT This patch fixes three problems in the handling of the EXT4_IOC_MOVE_EXT ioctl: 1. In current EXT4_IOC_MOVE_EXT, there are read access mode checks for original and donor files, but they allow the illegal write access to donor file, since donor file is overwritten by original file data. To fix this problem, change access mode checks of original (r->r/w) and donor (r->w) files. 2. Disallow the use of donor files that have a setuid or setgid bits. 3. Call mnt_want_write() and mnt_drop_write() before and after ext4_move_extents() calling to get write access to a mount. Signed-off-by: Akira Fujita <a-fujita.nec.com> Signed-off-by: "Theodore Ts'o" <tytso> --- fs/ext4/ioctl.c | 30 ++++++++++++++++++------------ fs/ext4/move_extent.c | 7 +++++++ 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index 31e5ee0..b63d193 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -221,32 +221,38 @@ setversion_out: struct file *donor_filp; int err; + if (!(filp->f_mode & FMODE_READ) || + !(filp->f_mode & FMODE_WRITE)) + return -EBADF; + if (copy_from_user(&me, (struct move_extent __user *)arg, sizeof(me))) return -EFAULT; + me.moved_len = 0; donor_filp = fget(me.donor_fd); if (!donor_filp) return -EBADF; - if (!capable(CAP_DAC_OVERRIDE)) { - if ((current->real_cred->fsuid != inode->i_uid) || - !(inode->i_mode & S_IRUSR) || - !(donor_filp->f_dentry->d_inode->i_mode & - S_IRUSR)) { - fput(donor_filp); - return -EACCES; - } + if (!(donor_filp->f_mode & FMODE_WRITE)) { + err = -EBADF; + goto mext_out; } - me.moved_len = 0; + err = mnt_want_write(filp->f_path.mnt); + if (err) + goto mext_out; + err = ext4_move_extents(filp, donor_filp, me.orig_start, me.donor_start, me.len, &me.moved_len); - fput(donor_filp); + mnt_drop_write(filp->f_path.mnt); + if (me.moved_len > 0) + file_remove_suid(donor_filp); if (copy_to_user((struct move_extent *)arg, &me, sizeof(me))) - return -EFAULT; - + err = -EFAULT; +mext_out: + fput(donor_filp); return err; } diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c index cad1e2e..82c415b 100644 --- a/fs/ext4/move_extent.c +++ b/fs/ext4/move_extent.c @@ -957,6 +957,13 @@ mext_check_arguments(struct inode *orig_inode, return -EINVAL; } + if (donor_inode->i_mode & (S_ISUID|S_ISGID)) { + ext4_debug("ext4 move extent: suid or sgid is set" + " to donor file [ino:orig %lu, donor %lu]\n", + orig_inode->i_ino, donor_inode->i_ino); + return -EINVAL; + } + /* Ext4 move extent does not support swapfile */ if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) { ext4_debug("ext4 move extent: The argument files should " -- 1.6.5.216.g5288a.dirty