Sure thing. This patch is against 2.6.34, but it appears that it can
apply to >= 2.6.25. Let me know if you need a fix for < 2.6.25.
For those new to the conversation, this patch prevents user "foo" from
using the SWAPEXT ioctl to swap a write-only file owned by user "bar"
into a file owned by "foo" and subsequently reading it. It does so by
checking that the file descriptors passed to the ioctl are also opened
for reading. In addition, after swapping any suid/sgid bits should be
cleared.
-Dan
On Wed, Jun 16, 2010 at 8:11 AM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> Dan, can you please send your fixes to the XFS list so that we can
> include them?
>
>
--- fs/xfs/xfs_dfrag.c.orig 2010-06-15 09:16:05.000000000 -0400
+++ fs/xfs/xfs_dfrag.c 2010-06-15 09:30:17.000000000 -0400
@@ -69,7 +69,9 @@ xfs_swapext(
goto out;
}
- if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) {
+ if (!(file->f_mode & FMODE_WRITE) ||
+ !(file->f_mode & FMODE_READ) ||
+ (file->f_flags & O_APPEND)) {
error = XFS_ERROR(EBADF);
goto out_put_file;
}
@@ -81,7 +83,8 @@ xfs_swapext(
}
if (!(tmp_file->f_mode & FMODE_WRITE) ||
- (tmp_file->f_flags & O_APPEND)) {
+ !(tmp_file->f_mode & FMODE_READ) ||
+ (tmp_file->f_flags & O_APPEND)) {
error = XFS_ERROR(EBADF);
goto out_put_tmp_file;
}
@@ -112,6 +115,11 @@ xfs_swapext(
error = xfs_swap_extents(ip, tip, sxp);
+ if(!error) {
+ file_remove_suid(tmp_file);
+ file_remove_suid(file);
+ }
+
out_put_tmp_file:
fput(tmp_file);
out_put_file:
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
