Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 030b533c4fd4d2ec3402363323de4bb2983c9cee
commit030b533c4fd4d2ec3402363323de4bb2983c9cee[log] [tgz]
authorJan Kara <jack@suse.cz>Thu May 26 17:21:32 2016 +0200
committerJan Kara <jack@suse.cz>Thu Sep 22 10:56:19 2016 +0200
tree1c59d4d47df600147f2e90a947cb82c1f57003ba
parent31051c85b5e2aaaf6315f74c72a732673632a905 [diff]
fs: Avoid premature clearing of capabilities

Currently, notify_change() clears capabilities or IMA attributes by
calling security_inode_killpriv() before calling into ->setattr. Thus it
happens before any other permission checks in inode_change_ok() and user
is thus allowed to trigger clearing of capabilities or IMA attributes
for any file he can look up e.g. by calling chown for that file. This is
unexpected and can lead to user DoSing a system.

Fix the problem by calling security_inode_killpriv() at the end of
inode_change_ok() instead of from notify_change(). At that moment we are
sure user has permissions to do the requested change.

References: CVE-2015-1350
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
1 file changed
tree: 1c59d4d47df600147f2e90a947cb82c1f57003ba
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitignore
  26. .mailmap
  27. COPYING
  28. CREDITS
  29. Kbuild
  30. Kconfig
  31. MAINTAINERS
  32. Makefile
  33. README
  34. REPORTING-BUGS