Remove suid/sgid bits on truncate() (CVE-2008-4210)

Hi Willy,

I noticed that CVE-2008-4210 is missing from the linux-2.4.git tree.

Don (cc'ed) proposed this:

Cc: Don Howard <dhoward@redhat.com>
Test-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/fs/open.c b/fs/open.c
index 512b60f..ca47086 100644 (file)
--- a/fs/open.c
+++ b/fs/open.c
@@ -109,6 +109,8 @@ int do_truncate(struct dentry *dentry, loff_t length)
        down(&inode->i_sem);
        newattrs.ia_size = length;
        newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
+       /* Remove suid/sgid on truncate too */
+       remove_suid(inode);
        error = notify_change(dentry, &newattrs);
        up(&inode->i_sem);
        up_write(&inode->i_alloc_sem);