From 2b4ff0c71e551fc1a6797068ba9385b33ba1f67d Mon Sep 17 00:00:00 2001
From: lizhipeng <lizhipeng@kylinos.cn>
Date: Fri, 11 Jul 2025 11:37:13 +0800
Subject: [PATCH] fix CVE-2025-52555

Signed-off-by: lizhipeng <lizhipeng@kylinos.cn>
(cherry picked from commit aed39af0dcccf59150fb06b59b12df580b56b715)
---
 ...-unprivileged-users-to-escalate-root.patch | 85 +++++++++++++++++++
 ceph.spec                                     |  6 +-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 0007-client-disallow-unprivileged-users-to-escalate-root.patch

diff --git a/0007-client-disallow-unprivileged-users-to-escalate-root.patch b/0007-client-disallow-unprivileged-users-to-escalate-root.patch
new file mode 100644
index 0000000..740df92
--- /dev/null
+++ b/0007-client-disallow-unprivileged-users-to-escalate-root.patch
@@ -0,0 +1,85 @@
+From fb1b72d5cbfb285620a2ae632f1b4d75b8fb8336 Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Wed, 3 Apr 2024 19:02:08 +0800
+Subject: [PATCH] client: disallow unprivileged users to escalate root
+ privileges
+
+An unprivileged user can `chmod 777` a directory owned by root
+and gain access. Fix this bug and also add a test case for the
+same.
+
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Venky Shankar <vshankar@redhat.com>
+---
+ src/client/Client.cc           | 24 ++++++++++++++----------
+ src/test/libcephfs/suidsgid.cc | 10 ++++++++++
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/src/client/Client.cc b/src/client/Client.cc
+index f1f70c1321d..eefcf555dc9 100644
+--- a/src/client/Client.cc
++++ b/src/client/Client.cc
+@@ -6204,18 +6204,22 @@ int Client::may_setattr(const InodeRef& in, struct ceph_statx *stx, int mask,
+   }
+ 
+   if (mask & CEPH_SETATTR_MODE) {
++    bool allowed = false;
++    /*
++     * Currently the kernel fuse and libfuse code is buggy and
++     * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse.
++     * But will just set the ATTR_MODE and at the same time by
++     * clearing the suid/sgid bits.
++     *
++     * Only allow unprivileged users to clear S_ISUID and S_ISUID.
++     */
++    if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) &&
++        (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) {
++      allowed = true;
++    }
+     uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed
+     ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec <<  dendl;
+-    if (perms.uid() != 0 && perms.uid() != in->uid &&
+-	/*
+-	 * Currently the kernel fuse and libfuse code is buggy and
+-	 * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse.
+-	 * But will just set the ATTR_MODE and at the same time by
+-	 * clearing the suid/sgid bits.
+-	 *
+-	 * Only allow unprivileged users to clear S_ISUID and S_ISUID.
+-	 */
+-	(m & ~(S_ISUID | S_ISGID)))
++    if (perms.uid() != 0 && perms.uid() != in->uid && !allowed)
+       goto out;
+ 
+     gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid;
+diff --git a/src/test/libcephfs/suidsgid.cc b/src/test/libcephfs/suidsgid.cc
+index 0802e8cb2b4..2ca38349a72 100644
+--- a/src/test/libcephfs/suidsgid.cc
++++ b/src/test/libcephfs/suidsgid.cc
+@@ -134,6 +134,14 @@ void run_truncate_test_case(int mode, int result, size_t size, bool with_admin=f
+   ceph_close(_cmount, fd);
+ }
+ 
++void run_change_mode_test_case()
++{
++  char c_dir[1024];
++  sprintf(c_dir, "/mode_test_%d", getpid());
++  ASSERT_EQ(0, ceph_mkdirs(admin, c_dir, 0700));
++  ASSERT_EQ(ceph_chmod(cmount, c_dir, 0777), -EPERM);
++}
++
+ TEST(SuidsgidTest, WriteClearSetuid) {
+   ASSERT_EQ(0, ceph_create(&admin, NULL));
+   ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
+@@ -206,6 +214,8 @@ TEST(SuidsgidTest, WriteClearSetuid) {
+   // 14, Truncate by unprivileged user clears the suid and sgid
+   run_truncate_test_case(06766, 0, 100);
+ 
++  run_change_mode_test_case();
++
+   // clean up
+   ceph_shutdown(cmount);
+   ceph_shutdown(admin);
+-- 
+2.47.1
+
diff --git a/ceph.spec b/ceph.spec
index 1f1b7b7..091034a 100644
--- a/ceph.spec
+++ b/ceph.spec
@@ -174,7 +174,7 @@
 #################################################################################
 Name:		ceph
 Version:	18.2.2
-Release:	7
+Release:	8
 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
 Epoch:		2
 %endif
@@ -198,6 +198,7 @@ Patch3: 0003-fix-CVE-2023-46159.patch
 Patch4: 0004-fix-mds-metadata-lost-in-one-case.patch
 Patch5: 0005-fix-CVE-2024-48916.patch
 Patch6: 0006-client-set-LIBMOUNT_FORCE_MOUNT2-always.patch
+Patch7: 0007-client-disallow-unprivileged-users-to-escalate-root.patch
 
 %ifarch riscv64
 Patch9002: 9002-fix-riscv64-build.patch
@@ -2644,6 +2645,9 @@ exit 0
 %{_datadir}/snmp/mibs
 
 %changelog
+* Mon Jul 7 2025 lizhipeng <lizhipeng@kylinos.com> - 2:18.2.2-8
+- fix CVE-2025-52555
+
 * Wed Jul 2 2025 lizhipeng <lizhipeng@kylinos.com> - 2:18.2.2-7
 - fix ceph-fuse mounting fail and coredump
 
-- 
Gitee