From patchwork Wed Jul 12 09:54:19 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Ernesto_A=2E_Fern=C3=A1ndez?=
 <ernesto.mnd.fernandez@gmail.com>
X-Patchwork-Id: 787113
Return-Path: <linux-ext4-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3x6vS861yvz9s65
	for <patchwork-incoming@ozlabs.org>;
	Wed, 12 Jul 2017 19:54:32 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="NnFzfDkx"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756037AbdGLJy0 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 12 Jul 2017 05:54:26 -0400
Received: from mail-qk0-f195.google.com ([209.85.220.195]:34841 "EHLO
	mail-qk0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755887AbdGLJyY (ORCPT
	<rfc822; linux-ext4@vger.kernel.org>); Wed, 12 Jul 2017 05:54:24 -0400
Received: by mail-qk0-f195.google.com with SMTP id 16so2419436qkg.2;
	Wed, 12 Jul 2017 02:54:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=date:from:to:subject:message-id:references:mime-version
	:content-disposition:content-transfer-encoding:in-reply-to;
	bh=NmH6OPOXSfZZXDfJY2hS24pLG5yS3YdDRdsqyYUWQys=;
	b=NnFzfDkxNiRu1k2/U6oKwu+caGQ7ebPcopWwE/hhci+53DGS5KUj0FLYh0jFFoZJ4m
	ccg2ty4Hf0BKWREPpH0KCkMssefaS9FHsySngIKKw4CnhXGR/YO1fBGBUp+KUGpYyF+t
	FZamtEzOHQ5Jr8DMfuqALf8FRS+AIN0E0gCS2VvkYQ0US1aZw8aK9wavZcq2GRQYEZ/R
	QYmZGoysb3LG1i8696sDnGLeUaiDdZtSJVwHMb0msebjE/uRHxvMe4nO0enWuT3k2Wzw
	ERv7zaF1w6ItYqH9QtfpBXgcs+OkTKnsB9xKmq6M4xgy+Nza61qMpq31zVuCTOe7Tdfh
	JlhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:subject:message-id:references
	:mime-version:content-disposition:content-transfer-encoding
	:in-reply-to;
	bh=NmH6OPOXSfZZXDfJY2hS24pLG5yS3YdDRdsqyYUWQys=;
	b=P+QVbpc5GhVJkaycDLAo/dn+xG62gFMLRRW36/7dQ047LThuMg3hcK8Z/N2ZJksZ5c
	6PKiSfaMIKBo7w9WF6zR8df9XPcgPzomOGWRLTWl+tKMOcoX8roUJsS/o2z27vNIY3I4
	1cMlCrrs5XfT2DpYHxSulMhA6Sjr1lx9sxIl8YX3VpszkYYVK6IKXbD2Ny5D04SHfBTh
	jyyvVvpdRKrsiY1FV2aPuR57PQCm8v4cE/bycb8Io7PVR/RB5GwKl/WrIE9ej/sk6QT3
	0cIoj9zgxl50q0+REBS44iX+nB7/3FSSgE1Hi8rb02UXLD3Tzg4f6liY50PlfrLlmC/G
	4M8w==
X-Gm-Message-State: AIVw1111iJTSfwx56a/rax6GHTRPvM3CPItMSLuw3F78U4Ya7GAh/aKF
	pKbbVnBD17z/dA==
X-Received: by 10.200.39.182 with SMTP id w51mr5386080qtw.87.1499853263907;
	Wed, 12 Jul 2017 02:54:23 -0700 (PDT)
Received: from debian.home ([186.18.119.100])
	by smtp.gmail.com with ESMTPSA id
	n67sm1458266qte.41.2017.07.12.02.54.22
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 12 Jul 2017 02:54:23 -0700 (PDT)
Date: Wed, 12 Jul 2017 06:54:19 -0300
From: Ernesto =?utf-8?Q?A=2E_Fern=C3=A1ndez?=
	<ernesto.mnd.fernandez@gmail.com>
To: Jan Kara <jack@suse.com>, Theodore Ts'o <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	Dave Kleikamp <shaggy@kernel.org>, linux-ext4@vger.kernel.org,
	jfs-discussion@lists.sourceforge.net, reiserfs-devel@vger.kernel.org
Subject: [PATCH 2/5] ext2: preserve i_mode if ext2_set_acl() fails
Message-ID: 
 <099e3ef2bf3a9ab2a1d545b65ba15fad359f2c03.1499805487.git.ernesto.mnd.fernandez@gmail.com>
References: <cover.1499805484.git.ernesto.mnd.fernandez@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1499805484.git.ernesto.mnd.fernandez@gmail.com>
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

When changing a file's acl mask, ext2_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.

If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.

Prevent this by only changing the inode mode after the acl has been set.

Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
---
A line in acl.c is too long, and checkpatch.pl complains about it when run
against this patch. In case it matters, the next patch will fix that.

 fs/ext2/acl.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
index 79dafa7..4e04b7e 100644
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -185,16 +185,17 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 	void *value = NULL;
 	size_t size = 0;
 	int error;
+	int update_mode = 0;
+	umode_t mode = inode->i_mode;
 
 	switch(type) {
 		case ACL_TYPE_ACCESS:
 			name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
 			if (acl) {
-				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+				error = posix_acl_update_mode(inode, &mode, &acl);
 				if (error)
 					return error;
-				inode->i_ctime = current_time(inode);
-				mark_inode_dirty(inode);
+				update_mode = 1;
 			}
 			break;
 
@@ -216,8 +217,14 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 	error = ext2_xattr_set(inode, name_index, "", value, size, 0);
 
 	kfree(value);
-	if (!error)
+	if (!error) {
 		set_cached_acl(inode, type, acl);
+		if (update_mode) {
+			inode->i_mode = mode;
+			inode->i_ctime = current_time(inode);
+			mark_inode_dirty(inode);
+		}
+	}
 	return error;
 }