From: Joakim Sindholt opensource@zhasha.com
mainline inclusion from mainline-v6.9-rc5 commit cd25e15e57e68a6b18dc9323047fe9c68b99290b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNVB CVE: CVE-2024-36964
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u.
Signed-off-by: Joakim Sindholt opensource@zhasha.com Signed-off-by: Eric Van Hensbergen ericvh@kernel.org Signed-off-by: Ye Bin yebin@huaweicloud.com --- fs/9p/vfs_inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index 72b779bc0942..d1a0f36dcdd4 100644 --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -101,7 +101,7 @@ static int p9mode2perm(struct v9fs_session_info *v9ses, int res; int mode = stat->mode;
- res = mode & S_IALLUGO; + res = mode & 0777; /* S_IRWXUGO */ if (v9fs_proto_dotu(v9ses)) { if ((mode & P9_DMSETUID) == P9_DMSETUID) res |= S_ISUID;