[PATCH v2 04/10] ovl: make ioctl() safe

Miklos Szeredi miklos at szeredi.hu
Thu Dec 10 15:19:19 UTC 2020


On Wed, Dec 9, 2020 at 3:01 AM James Morris <jmorris at namei.org> wrote:
>
> On Mon, 7 Dec 2020, Miklos Szeredi wrote:
>
> > ovl_ioctl_set_flags() does a capability check using flags, but then the
> > real ioctl double-fetches flags and uses potentially different value.
> >
> > The "Check the capability before cred override" comment misleading: user
> > can skip this check by presenting benign flags first and then overwriting
> > them to non-benign flags.
>
> Is this a security bug which should be fixed in stable?

Yes, good point.  Added Cc: stable at ...

Thanks,
Miklos



More information about the Linux-security-module-archive mailing list