From patchwork Tue Aug  8 12:44:41 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Jan Kara <jack@suse.cz>
X-Patchwork-Id: 799153
Return-Path: <linux-ext4-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=linux-ext4-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3xRYyG1n5Bz9s75
	for <patchwork-incoming@ozlabs.org>;
	Tue,  8 Aug 2017 22:44:54 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752049AbdHHMou (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 8 Aug 2017 08:44:50 -0400
Received: from mx2.suse.de ([195.135.220.15]:50207 "EHLO mx1.suse.de"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1751996AbdHHMos (ORCPT <rfc822;linux-ext4@vger.kernel.org>);
	Tue, 8 Aug 2017 08:44:48 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id 6E40AAE26;
	Tue,  8 Aug 2017 12:44:47 +0000 (UTC)
Received: by quack2.suse.cz (Postfix, from userid 1000)
	id 09CB11E340E; Tue,  8 Aug 2017 14:44:46 +0200 (CEST)
From: Jan Kara <jack@suse.cz>
To: stable@vger.kernel.org
Cc: Ted Tso <tytso@mit.edu>, <linux-ext4@vger.kernel.org>,
	gregkh@linuxfoundation.org, =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
	<ernesto.mnd.fernandez@gmail.com>
Subject: [PATCH 1/2] ext4: preserve i_mode if __ext4_set_acl() fails
Date: Tue,  8 Aug 2017 14:44:41 +0200
Message-Id: <20170808124442.8963-2-jack@suse.cz>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20170808124442.8963-1-jack@suse.cz>
References: <20170808124442.8963-1-jack@suse.cz>
MIME-Version: 1.0
Git-commit: 397e434176bb62bc6068d2210af1d876c6212a7e
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>

When changing a file's acl mask, __ext4_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.

If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.

Prevent this by only changing the inode mode after the acl has been set.

Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
---
 fs/ext4/acl.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -189,16 +189,17 @@ __ext4_set_acl(handle_t *handle, struct
 	void *value = NULL;
 	size_t size = 0;
 	int error;
+	int update_mode = 0;
+	umode_t mode = inode->i_mode;
 
 	switch (type) {
 	case ACL_TYPE_ACCESS:
 		name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
 		if (acl) {
-			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			error = posix_acl_update_mode(inode, &mode, &acl);
 			if (error)
 				return error;
-			inode->i_ctime = current_time(inode);
-			ext4_mark_inode_dirty(handle, inode);
+			update_mode = 1;
 		}
 		break;
 
@@ -221,8 +222,14 @@ __ext4_set_acl(handle_t *handle, struct
 				      value, size, 0);
 
 	kfree(value);
-	if (!error)
+	if (!error) {
 		set_cached_acl(inode, type, acl);
+		if (update_mode) {
+			inode->i_mode = mode;
+			inode->i_ctime = current_time(inode);
+			ext4_mark_inode_dirty(handle, inode);
+		}
+	}
 
 	return error;
 }