From: Vitaly Mayatskikh <vmayatsk@redhat.com>
Date: Tue, 15 Jan 2008 15:25:36 +0100
Subject: [fs] corruption by unprivileged user in directories
Message-id: m3wsqb2mjj.fsf@gravicapa.englab.brq.redhat.com
O-Subject: [RHEL-5.2 PATCH] BZ428797 CVE-2008-0001 kernel: filesystem corruption by unprivileged user via directory truncation [rhel-5.2]
Bugzilla: 428797

BZ#428797

https://bugzilla.redhat.com/show_bug.cgi?id=428797

Description:
============
In kernel versions beginning with 2.6.15 and including 2.6.24-rc7, it
is possible for unprivileged local users to truncate any directory for
which they have write permission.  This renders all the contents of
the directory inaccessible.  It is then possible (given appropriate
privileges) to remove the apparently empty directory.  This can orphan
inodes that had their only link from that directory.

Upstream status:
================
Patch is upstream: commit 974a9f0b47da74e28f68b9c8645c3786aa5ace1a

Test status of the patch:
=========================
Patch fixes the problem

Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: "Stephen C. Tweedie" <sct@redhat.com>

diff --git a/fs/namei.c b/fs/namei.c
index 77a8460..cece729 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1527,7 +1527,7 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
 	if (S_ISLNK(inode->i_mode))
 		return -ELOOP;
 	
-	if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE))
+	if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE))
 		return -EISDIR;
 
 	error = vfs_permission(nd, acc_mode);
@@ -1546,7 +1546,7 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
 			return -EACCES;
 
 		flag &= ~O_TRUNC;
-	} else if (IS_RDONLY(inode) && (flag & FMODE_WRITE))
+	} else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE))
 		return -EROFS;
 	/*
 	 * An append-only file must be opened in append mode for writing.