{"id":2220114,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2220114/?format=json","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.0/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260406113010.38193-2-massimiliano.pellizzer@canonical.com>","date":"2026-04-06T11:30:09","name":"[SRU,J,v2,1/2] UBUNTU: SAUCE: Revert \"UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\"","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a2dcff7f99c3f248d426cd0bc5e9432a8cbfc399","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/1.0/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260406113010.38193-2-massimiliano.pellizzer@canonical.com/mbox/","series":[{"id":498844,"url":"http://patchwork.ozlabs.org/api/1.0/series/498844/?format=json","date":"2026-04-06T11:30:08","name":"CVE-2023-2640 and CVE-2023-32629","version":2,"mbox":"http://patchwork.ozlabs.org/series/498844/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220114/checks/","tags":{},"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=WhHpI2Gj;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq6bb0Tr4z1yGn\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 21:31:23 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w9iAm-0005pm-M9; Mon, 06 Apr 2026 11:31:16 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1w9iAl-0005pK-LK\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 11:31:15 +0000","from mail-wm1-f71.google.com (mail-wm1-f71.google.com\n [209.85.128.71])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7BBBC3F154\n for <kernel-team@lists.ubuntu.com>; Mon,  6 Apr 2026 11:31:15 +0000 (UTC)","by mail-wm1-f71.google.com with SMTP id\n 5b1f17b1804b1-483786a09b1so48773305e9.3\n for <kernel-team@lists.ubuntu.com>; Mon, 06 Apr 2026 04:31:15 -0700 (PDT)","from framework.ts.net (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488b739e00bsm36899605e9.10.2026.04.06.04.31.13\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 04:31:13 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775475075;\n bh=kF5w8VoY/eiHimSxjtozgkBFEKgHaz7KQbbx/9PyF44=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=WhHpI2Gj5rGF+mR7Ksu9OS6hSAob3bnMT0mXrJMO+gCq6Dcla0TrrM1j7uVIR41Lw\n aOf0RMWCE1jpmD+9kCaVTCWbM5SRiiVYTkKEjU6W7KVPCs4SbVmv1pbJgGMqrg1ZKt\n LRbLuqaJjIdqG+1f+YbfBPZ7SwajSZC+RUIhZzZmETXpY9dYovUDkmrSjaGsLFWRa9\n mvTNj0ySdXi3EypZVOOKtxy2jslS51d6wERAheMq7bXE6+RKDnjNLvBGvGi+wEJbin\n wsaD77AqqHfeFQrK8+Hu86JFZfLYDcD0Hr8Gbqw+AhtZH4x+0dzr9CoaAmRwa0EABI\n VlrOta8qPQd+HImFLGw1DFM1+Xh2Ke4vW8g8bS6hrM01xcGyOqslKDAHrHS50ESCvh\n fUutX0UcztzuZxrXDTCTKVznQoqFUfV8E4ChkOVNtIgBcbmNNAe2hbG9szvtTzf/ng\n cUXTRrLi2rNltXN1Vql4SxJYYI7gnG2lq5OyLegJqUEq8iMhjqRafgbx2UrfJbYxFt\n 6njgS1a6GX+B+h1Bt0OdSg8WCxMuuVMK/HBQnvUOp/JwOl1WS5lsyRSZB3bu3h7bUZ\n Zk3EqncGmg5BY9bRsvQvDN37/lkrCnxmX00o4HYxS3lTic6Gw20CUTVXXH0ljh/CBE\n oLpUPeI9ica1dRmHi4ZYOXGU=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775475075; x=1776079875;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=kF5w8VoY/eiHimSxjtozgkBFEKgHaz7KQbbx/9PyF44=;\n b=ndhR4Kg44dXHnAjX6aNFXXi1vswmSrsFKJzTAbwUg6F/YkpC/lqebSZ9gH4ekuDoNO\n AWYNgCmFIueyegb4X/JITPpGRACsqJpvUy6QuwF3AjnrnqAOVeGSN/FcDyNtQweJAZh9\n 96+EPEdpRsMyQm+B+gh/pDDOPhozP7l60WEDBcid+rjc1AYupa9PWW4HTGSetdF1Pvz0\n v3uTRMwRKWZ+J5kuwwPA7dLj4G2nOfZJNlNNNfqOK44V3sLoLHVtR+zsVdxZivHxppxe\n uWr8a90ScDNwMTZmTsL6Nv2QjhBNdePklwg+YiwEAFuiZNjMHBYJJqIPPlHH41+4ObiS\n CEEw==","X-Gm-Message-State":"AOJu0YywULFC3DpOk0zDF3eGSsdX7bbZlwi7eqTewmIWnnj6MqsKstGH\n EU9uqcGWkRMPW9OOHljQ5pWw21lxQOWeh4256MkWNM/RimSnj6SMvhIfa31hm95yFtDdHjJiz/5\n +Uw6xLA7JzV3zbQMifGDlg4f7RpQLQozxC4kqHsXggQN73x7fbS9bdF0i1GdEcBW/Gi4osA7Q6q\n jZplmw3EEWNFLJ2A==","X-Gm-Gg":"AeBDietA6ntWebWsavno4vWzpDtq2lp9sAU0v8O9gKfJUusFN3UcTsbApfJ0LIJQu+q\n URlTG27+rZplnmfglYGBU+gNV4gyp3yf1Ua3plV9+PbD+nuOvRrnxuiR9zkeeTKxwxkMU0Yt7ga\n 2fHb2nIQwRmiwAJVuqspRiFFrsnDuDxDDXyJp62wlknpqGrnyC8H2W+5WjmsV0myUyhnrB/pb3w\n M9P75Aj+lgdxiqpxQ6DQzyk1FAz3/wOsbVxx/lZHD02DocF2+kf37Icj18/tHdSdKsSaVxb4hlX\n a1bbufOHu57UV1yrGlVnbTdiRMqk0ITPzKALERg/4vRu0YYvMbH4jv0aEE0dXDyUFcbXBmZGQXY\n XaEbObwsTI8biDu5VGzktj3f7Wk7T0xQ6lDXaSrmENnJsJ3clXNeStxmEcf/JPYSTSs1J7eY6AM\n 4pAKEQs9LH6JDihy6cCiwwhKOdE5LhmtCeYaQZuReMpuoYSX7z3wV9VVJM49Rl4poPWgFW2Ls=","X-Received":["by 2002:a05:600c:4e86:b0:486:fba7:b150 with SMTP id\n 5b1f17b1804b1-488997c9b9bmr158361895e9.15.1775475074745;\n Mon, 06 Apr 2026 04:31:14 -0700 (PDT)","by 2002:a05:600c:4e86:b0:486:fba7:b150 with SMTP id\n 5b1f17b1804b1-488997c9b9bmr158361545e9.15.1775475074209;\n Mon, 06 Apr 2026 04:31:14 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH v2 1/2] UBUNTU: SAUCE: Revert \"UBUNTU: SAUCE:\n overlayfs: Skip permission checking for trusted.overlayfs.* xattrs\"","Date":"Mon,  6 Apr 2026 13:30:09 +0200","Message-ID":"<20260406113010.38193-2-massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.51.0","In-Reply-To":"<20260406113010.38193-1-massimiliano.pellizzer@canonical.com>","References":"<20260406113010.38193-1-massimiliano.pellizzer@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"This reverts commit 3fb38c98e060b327cb58373775dcc95ed52d1f22.\n\nThe reverted commit bypasses vfs_setxattr() in ovl_do_setxattr() by\ncalling __vfs_setxattr_noperm() directly. After upstream commit\nc914c0e27eb0 (\"ovl: use wrappers to all vfs_*xattr() calls\")\nwas backported, this routed security.capability writes during copy-up\nthrough the unchecked path, bypassing cap_convert_nscap() and enabling\nCVE-2023-2640 and CVE-2023-32629.\n\nCVE-2023-2640\nCVE-2023-32629\nSigned-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>\n---\n fs/overlayfs/overlayfs.h | 15 ++-------------\n fs/xattr.c               | 36 ++++++------------------------------\n include/linux/xattr.h    |  1 -\n 3 files changed, 8 insertions(+), 44 deletions(-)","diff":"diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h\nindex 585797e23b547..43b211cf437cc 100644\n--- a/fs/overlayfs/overlayfs.h\n+++ b/fs/overlayfs/overlayfs.h\n@@ -211,12 +211,7 @@ static inline int ovl_do_setxattr(struct ovl_fs *ofs, struct dentry *dentry,\n \t\t\t\t  const char *name, const void *value,\n \t\t\t\t  size_t size, int flags)\n {\n-\tstruct inode *inode = dentry->d_inode;\n-\tint err;\n-\n-\tinode_lock(inode);\n-\terr = __vfs_setxattr_noperm(&init_user_ns, dentry, name, value, size, flags);\n-\tinode_unlock(inode);\n+\tint err = vfs_setxattr(&init_user_ns, dentry, name, value, size, flags);\n \n \tpr_debug(\"setxattr(%pd2, \\\"%s\\\", \\\"%*pE\\\", %zu, %d) = %i\\n\",\n \t\t dentry, name, min((int)size, 48), value, size, flags, err);\n@@ -233,13 +228,7 @@ static inline int ovl_setxattr(struct ovl_fs *ofs, struct dentry *dentry,\n static inline int ovl_do_removexattr(struct ovl_fs *ofs, struct dentry *dentry,\n \t\t\t\t     const char *name)\n {\n-\tstruct inode *inode = dentry->d_inode;\n-\tint err;\n-\n-\tinode_lock(inode);\n-\terr = __vfs_removexattr_noperm(&init_user_ns, dentry, name);\n-\tinode_unlock(inode);\n-\n+\tint err = vfs_removexattr(&init_user_ns, dentry, name);\n \tpr_debug(\"removexattr(%pd2, \\\"%s\\\") = %i\\n\", dentry, name, err);\n \treturn err;\n }\ndiff --git a/fs/xattr.c b/fs/xattr.c\nindex bad89a9144cc7..030f93f3f9d0e 100644\n--- a/fs/xattr.c\n+++ b/fs/xattr.c\n@@ -239,7 +239,6 @@ int __vfs_setxattr_noperm(struct user_namespace *mnt_userns,\n \n \treturn error;\n }\n-EXPORT_SYMBOL_GPL(__vfs_setxattr_noperm);\n \n /**\n  * __vfs_setxattr_locked - set an extended attribute while holding the inode\n@@ -474,34 +473,6 @@ __vfs_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry,\n }\n EXPORT_SYMBOL(__vfs_removexattr);\n \n-/**\n- *  __vfs_removexattr_noperm - perform removexattr operation without\n- *  performing permission checks.\n- *\n- *  @dentry - object to perform setxattr on\n- *  @name - xattr name to set\n- *\n- *  returns the result of the internal setxattr or setsecurity operations.\n- *\n- *  This function requires the caller to lock the inode's i_mutex before it\n- *  is executed. It also assumes that the caller will make the appropriate\n- *  permission checks.\n- */\n-int\n-__vfs_removexattr_noperm(struct user_namespace *mnt_userns,\n-\t\t\t struct dentry *dentry, const char *name)\n-{\n-\tint error;\n-\n-\terror =__vfs_removexattr(mnt_userns, dentry, name);\n-\tif (!error) {\n-\t\tfsnotify_xattr(dentry);\n-\t\tevm_inode_post_removexattr(dentry, name);\n-\t}\n-\treturn error;\n-}\n-EXPORT_SYMBOL_GPL(__vfs_removexattr_noperm);\n-\n /**\n  * __vfs_removexattr_locked - set an extended attribute while holding the inode\n  * lock\n@@ -532,7 +503,12 @@ __vfs_removexattr_locked(struct user_namespace *mnt_userns,\n \tif (error)\n \t\tgoto out;\n \n-\terror = __vfs_removexattr_noperm(mnt_userns, dentry, name);\n+\terror = __vfs_removexattr(mnt_userns, dentry, name);\n+\n+\tif (!error) {\n+\t\tfsnotify_xattr(dentry);\n+\t\tevm_inode_post_removexattr(dentry, name);\n+\t}\n \n out:\n \treturn error;\ndiff --git a/include/linux/xattr.h b/include/linux/xattr.h\nindex 077b3844f2eeb..4c379d23ec6e7 100644\n--- a/include/linux/xattr.h\n+++ b/include/linux/xattr.h\n@@ -63,7 +63,6 @@ int __vfs_setxattr_locked(struct user_namespace *, struct dentry *,\n int vfs_setxattr(struct user_namespace *, struct dentry *, const char *,\n \t\t const void *, size_t, int);\n int __vfs_removexattr(struct user_namespace *, struct dentry *, const char *);\n-int __vfs_removexattr_noperm(struct user_namespace *, struct dentry *, const char *);\n int __vfs_removexattr_locked(struct user_namespace *, struct dentry *,\n \t\t\t     const char *, struct inode **);\n int vfs_removexattr(struct user_namespace *, struct dentry *, const char *);\n","prefixes":["SRU","J","v2","1/2"]}