diff options
| author | Miklos Szeredi <mszeredi@suse.cz> | 2008-05-01 07:34:45 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-05-01 11:03:59 -0400 |
| commit | 02c6be615f1fcd37ac5ed93a3ad6692ad8991cd9 (patch) | |
| tree | 9c5047ed8b165a3388d5c61b2702f7cc12954766 /fs/utimes.c | |
| parent | 2850699c59d513a0cd0c68f60f75609a5f9d4d32 (diff) | |
vfs: fix permission checking in sys_utimensat
If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.
I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g. "Why was that large source tree rebuilt
when I didn't modify anything???")
This affects all kernels from 2.6.22, when the utimensat() syscall was
introduced.
Fix by doing the same permission checking as for the "times == NULL" case.
Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in
-mm also fixes this (and breaks other stuff), only he didn't realize the
security implications of this bug.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/utimes.c')
| -rw-r--r-- | fs/utimes.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/fs/utimes.c b/fs/utimes.c index a2bef77dc9c9..af059d5cb485 100644 --- a/fs/utimes.c +++ b/fs/utimes.c | |||
| @@ -40,9 +40,14 @@ asmlinkage long sys_utime(char __user *filename, struct utimbuf __user *times) | |||
| 40 | 40 | ||
| 41 | #endif | 41 | #endif |
| 42 | 42 | ||
| 43 | static bool nsec_special(long nsec) | ||
| 44 | { | ||
| 45 | return nsec == UTIME_OMIT || nsec == UTIME_NOW; | ||
| 46 | } | ||
| 47 | |||
| 43 | static bool nsec_valid(long nsec) | 48 | static bool nsec_valid(long nsec) |
| 44 | { | 49 | { |
| 45 | if (nsec == UTIME_OMIT || nsec == UTIME_NOW) | 50 | if (nsec_special(nsec)) |
| 46 | return true; | 51 | return true; |
| 47 | 52 | ||
| 48 | return nsec >= 0 && nsec <= 999999999; | 53 | return nsec >= 0 && nsec <= 999999999; |
| @@ -119,7 +124,15 @@ long do_utimes(int dfd, char __user *filename, struct timespec *times, int flags | |||
| 119 | newattrs.ia_mtime.tv_nsec = times[1].tv_nsec; | 124 | newattrs.ia_mtime.tv_nsec = times[1].tv_nsec; |
| 120 | newattrs.ia_valid |= ATTR_MTIME_SET; | 125 | newattrs.ia_valid |= ATTR_MTIME_SET; |
| 121 | } | 126 | } |
| 122 | } else { | 127 | } |
| 128 | |||
| 129 | /* | ||
| 130 | * If times is NULL or both times are either UTIME_OMIT or | ||
| 131 | * UTIME_NOW, then need to check permissions, because | ||
| 132 | * inode_change_ok() won't do it. | ||
| 133 | */ | ||
| 134 | if (!times || (nsec_special(times[0].tv_nsec) && | ||
| 135 | nsec_special(times[1].tv_nsec))) { | ||
| 123 | error = -EACCES; | 136 | error = -EACCES; |
| 124 | if (IS_IMMUTABLE(inode)) | 137 | if (IS_IMMUTABLE(inode)) |
| 125 | goto mnt_drop_write_and_out; | 138 | goto mnt_drop_write_and_out; |