From: Miklos Szeredi mszeredi@redhat.com
mainline inclusion from mainline-v5.8-rc1 commit 292f902a40c11f043a5ca1305a114da0e523eaa3 category: bugfix bugzilla: NA CVE: CVE-2020-16120
--------------------------------
Verify LSM permissions for underlying file, since vfs_ioctl() doesn't do it.
[Stephen Rothwell] export security_file_ioctl
Signed-off-by: Miklos Szeredi mszeredi@redhat.com Conflicts: fs/overlayfs/file.c [yyl: adjust context] Signed-off-by: Yang Yingliang yangyingliang@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/overlayfs/file.c | 5 ++++- security/security.c | 1 + 2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 83cc52871307..fb5595e680d1 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -12,6 +12,7 @@ #include <linux/xattr.h> #include <linux/uio.h> #include <linux/uaccess.h> +#include <linux/security.h> #include "overlayfs.h"
static char ovl_whatisit(struct inode *inode, struct inode *realinode) @@ -403,7 +404,9 @@ static long ovl_real_ioctl(struct file *file, unsigned int cmd, return ret;
old_cred = ovl_override_creds(file_inode(file)->i_sb); - ret = vfs_ioctl(real.file, cmd, arg); + ret = security_file_ioctl(real.file, cmd, arg); + if (!ret) + ret = vfs_ioctl(real.file, cmd, arg); revert_creds(old_cred);
fdput(real); diff --git a/security/security.c b/security/security.c index 5ce2448f3a45..9e4d6c999c79 100644 --- a/security/security.c +++ b/security/security.c @@ -893,6 +893,7 @@ int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { return call_int_hook(file_ioctl, 0, file, cmd, arg); } +EXPORT_SYMBOL_GPL(security_file_ioctl);
static inline unsigned long mmap_prot(struct file *file, unsigned long prot) {