This reverts commit b24be4acd17a8963a29b2a92e1d80b9ddf759c95.
Commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two inodes") (stable kernel id) breaks r/w access in overlayfs when setting ACL to files, in 4.4 stable kernel. There is an available reproducer in [1].
To reproduce the issue : $./make-overlay.sh $./test.sh st_mode is 100644 open failed: -1 cat: /tmp/overlay/animal: Permission denied <---- Breaks access -rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
There are two options to fix this; (a) backport commit ce31513a9114 ("ovl: copyattr after setting POSIX ACL") to 4.4 or (b) revert offending commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two inodes"). Following option (a) entails high risk of regression since commit ce31513a9114 ("ovl: copyattr after setting POSIX ACL") has many dependencies on other commits that need to be backported too (~18 commits).
This patch proceeds with reverting commit b24be4acd17a ("ovl: modify ovl_permission() to do checks on two inodes"). The reverted commit is associated with CVE-2018-16597, however the test-script provided in [3] shows that 4.4 kernel is NOT affected by this cve and therefore it's safe to revert it.
The offending commit was introduced upstream in v4.8-rc1. At this point had nothing to do with any CVE. It was related with CVE-2018-16597 as it was the fix for bug [2]. Later on it was backported to stable 4.4.
The test-script [3] tests whether 4.4 kernel is affected by CVE-2018-16597. It tests the reproducer found in [2] plus a few more cases. The correct output of the script is failure with "Permission denied" when a normal user tries to overwrite root owned files. For more details please refer to [4].
[1] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7 [2] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0 [3] https://launchpadlibrarian.net/459694705/test_overlay_permission.sh [4] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243
Signed-off-by: Ioanna Alifieraki ioanna-maria.alifieraki@canonical.com --- fs/overlayfs/inode.c | 13 ------------- 1 file changed, 13 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index 060482e349ef..013d27dc6f58 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -9,7 +9,6 @@
#include <linux/fs.h> #include <linux/slab.h> -#include <linux/cred.h> #include <linux/xattr.h> #include "overlayfs.h"
@@ -92,7 +91,6 @@ int ovl_permission(struct inode *inode, int mask) struct ovl_entry *oe; struct dentry *alias = NULL; struct inode *realinode; - const struct cred *old_cred; struct dentry *realdentry; bool is_upper; int err; @@ -145,18 +143,7 @@ int ovl_permission(struct inode *inode, int mask) goto out_dput; }
- /* - * Check overlay inode with the creds of task and underlying inode - * with creds of mounter - */ - err = generic_permission(inode, mask); - if (err) - goto out_dput; - - old_cred = ovl_override_creds(inode->i_sb); err = __inode_permission(realinode, mask); - revert_creds(old_cred); - out_dput: dput(alias); return err;