Andrew Lukoshko
b9d46fff46
Add the RHEL 211.17.1..211.18.1 backports (1162-1244) from centos-stream-10 and upstream, on top of 211.16.1. Includes the lpfc 14.4.0.x revert batch and the RHEL-only lpfc_nlp_get UAF guard. Bump to 211.18.1.
94 lines
2.9 KiB
Diff
94 lines
2.9 KiB
Diff
From b71e05c047c7f227e96201fa4eb9e4929ac96deb Mon Sep 17 00:00:00 2001
|
|
From: Rafael Aquini <raquini@redhat.com>
|
|
Date: Mon, 11 May 2026 10:39:35 -0400
|
|
Subject: [PATCH] anon_inode: explicitly block ->setattr()
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-171616
|
|
|
|
commit 22bdf3d6581af6d06ed8a46c6835648421cca0ea
|
|
Author: Christian Brauner <brauner@kernel.org>
|
|
Date: Mon Apr 7 11:54:17 2025 +0200
|
|
|
|
anon_inode: explicitly block ->setattr()
|
|
|
|
It is currently possible to change the mode and owner of the single
|
|
anonymous inode in the kernel:
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int ret, sfd;
|
|
sigset_t mask;
|
|
struct signalfd_siginfo fdsi;
|
|
|
|
sigemptyset(&mask);
|
|
sigaddset(&mask, SIGINT);
|
|
sigaddset(&mask, SIGQUIT);
|
|
|
|
ret = sigprocmask(SIG_BLOCK, &mask, NULL);
|
|
if (ret < 0)
|
|
_exit(1);
|
|
|
|
sfd = signalfd(-1, &mask, 0);
|
|
if (sfd < 0)
|
|
_exit(2);
|
|
|
|
ret = fchown(sfd, 5555, 5555);
|
|
if (ret < 0)
|
|
_exit(3);
|
|
|
|
ret = fchmod(sfd, 0777);
|
|
if (ret < 0)
|
|
_exit(3);
|
|
|
|
_exit(4);
|
|
}
|
|
|
|
This is a bug. It's not really a meaningful one because anonymous inodes
|
|
don't really figure into path lookup and they cannot be reopened via
|
|
/proc/<pid>/fd/<nr> and can't be used for lookup itself. So they can
|
|
only ever serve as direct references.
|
|
|
|
But it is still completely bogus to allow the mode and ownership or any
|
|
of the properties of the anonymous inode to be changed. Block this!
|
|
|
|
Link: https://lore.kernel.org/20250407-work-anon_inode-v1-3-53a44c20d44e@kernel.org
|
|
Reviewed-by: Jeff Layton <jlayton@kernel.org>
|
|
Cc: stable@vger.kernel.org # all LTS kernels
|
|
Signed-off-by: Christian Brauner <brauner@kernel.org>
|
|
|
|
Signed-off-by: Rafael Aquini <raquini@redhat.com>
|
|
|
|
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
|
|
index 7c07b22c1d47..344355616d3a 100644
|
|
--- a/fs/anon_inodes.c
|
|
+++ b/fs/anon_inodes.c
|
|
@@ -57,8 +57,15 @@ int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
|
|
return 0;
|
|
}
|
|
|
|
+int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
|
|
+ struct iattr *attr)
|
|
+{
|
|
+ return -EOPNOTSUPP;
|
|
+}
|
|
+
|
|
static const struct inode_operations anon_inode_operations = {
|
|
.getattr = anon_inode_getattr,
|
|
+ .setattr = anon_inode_setattr,
|
|
};
|
|
|
|
/*
|
|
diff --git a/fs/internal.h b/fs/internal.h
|
|
index afa926ccee7e..dd13dfde4adb 100644
|
|
--- a/fs/internal.h
|
|
+++ b/fs/internal.h
|
|
@@ -341,3 +341,5 @@ void file_f_owner_release(struct file *file);
|
|
int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,
|
|
struct kstat *stat, u32 request_mask,
|
|
unsigned int query_flags);
|
|
+int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
|
|
+ struct iattr *attr);
|
|
--
|
|
2.50.1 (Apple Git-155)
|
|
|