Re: [PATCH v2 04/10] ovl: make ioctl() safe

From: Miklos Szeredi
Date: Thu Dec 10 2020 - 10:20:26 EST

Next message: Kirill Tkhai: "Re: [PATCH 6/9] mm: vmscan: use per memcg nr_deferred of shrinker"
Previous message: Miklos Szeredi: "Re: [PATCH v2 04/10] ovl: make ioctl() safe"
In reply to: James Morris: "Re: [PATCH v2 04/10] ovl: make ioctl() safe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Dec 9, 2020 at 3:01 AM James Morris <jmorris@xxxxxxxxx> wrote:
>
> On Mon, 7 Dec 2020, Miklos Szeredi wrote:
>
> > ovl_ioctl_set_flags() does a capability check using flags, but then the
> > real ioctl double-fetches flags and uses potentially different value.
> >
> > The "Check the capability before cred override" comment misleading: user
> > can skip this check by presenting benign flags first and then overwriting
> > them to non-benign flags.
>
> Is this a security bug which should be fixed in stable?

Yes, good point. Added Cc: stable@...

Thanks,
Miklos

Next message: Kirill Tkhai: "Re: [PATCH 6/9] mm: vmscan: use per memcg nr_deferred of shrinker"
Previous message: Miklos Szeredi: "Re: [PATCH v2 04/10] ovl: make ioctl() safe"
In reply to: James Morris: "Re: [PATCH v2 04/10] ovl: make ioctl() safe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]