On Wed, Dec 9, 2020 at 3:01 AM James Morris <jmorris@xxxxxxxxx> wrote: > > On Mon, 7 Dec 2020, Miklos Szeredi wrote: > > > ovl_ioctl_set_flags() does a capability check using flags, but then the > > real ioctl double-fetches flags and uses potentially different value. > > > > The "Check the capability before cred override" comment misleading: user > > can skip this check by presenting benign flags first and then overwriting > > them to non-benign flags. > > Is this a security bug which should be fixed in stable? Yes, good point. Added Cc: stable@... Thanks, Miklos
