From be86e9525d4cb0a99ade92fbc2056326ec2ecb5b Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Wed, 16 Jul 2025 18:48:47 +0800
Subject: [PATCH] [CVE] CVE-2025-52555

to #22207
add patch to fix CVE-2025-52555
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 43-bugfix-for-CVE-2025-52555.patch | 82 ++++++++++++++++++++++++++++++
 ceph.spec                          |  6 ++-
 2 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 43-bugfix-for-CVE-2025-52555.patch

diff --git a/43-bugfix-for-CVE-2025-52555.patch b/43-bugfix-for-CVE-2025-52555.patch
new file mode 100644
index 0000000..6d55bba
--- /dev/null
+++ b/43-bugfix-for-CVE-2025-52555.patch
@@ -0,0 +1,82 @@
+From d19668a519cd98d429d2ef547de7acd48f75f99a Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Wed, 3 Apr 2024 19:02:08 +0800
+Subject: [PATCH] client: disallow unprivileged users to escalate root
+ privileges
+
+An unprivileged user can `chmod 777` a directory owned by root
+and gain access. Fix this bug and also add a test case for the
+same.
+
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Venky Shankar <vshankar@redhat.com>
+---
+ src/client/Client.cc           | 24 ++++++++++++++----------
+ src/test/libcephfs/suidsgid.cc | 10 ++++++++++
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/src/client/Client.cc b/src/client/Client.cc
+index 2f3e170fe20f5..f9c6a927f425f 100644
+--- a/src/client/Client.cc
++++ b/src/client/Client.cc
+@@ -6026,18 +6026,22 @@ int Client::may_setattr(Inode *in, struct ceph_statx *stx, int mask,
+   }
+ 
+   if (mask & CEPH_SETATTR_MODE) {
++    bool allowed = false;
++    /*
++     * Currently the kernel fuse and libfuse code is buggy and
++     * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse.
++     * But will just set the ATTR_MODE and at the same time by
++     * clearing the suid/sgid bits.
++     *
++     * Only allow unprivileged users to clear S_ISUID and S_ISUID.
++     */
++    if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) &&
++        (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) {
++      allowed = true;
++    }
+     uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed
+     ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec <<  dendl;
+-    if (perms.uid() != 0 && perms.uid() != in->uid &&
+-	/*
+-	 * Currently the kernel fuse and libfuse code is buggy and
+-	 * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse.
+-	 * But will just set the ATTR_MODE and at the same time by
+-	 * clearing the suid/sgid bits.
+-	 *
+-	 * Only allow unprivileged users to clear S_ISUID and S_ISUID.
+-	 */
+-	(m & ~(S_ISUID | S_ISGID)))
++    if (perms.uid() != 0 && perms.uid() != in->uid && !allowed)
+       goto out;
+ 
+     gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid;
+diff --git a/src/test/libcephfs/suidsgid.cc b/src/test/libcephfs/suidsgid.cc
+index d750613ebd814..474795cc455d4 100644
+--- a/src/test/libcephfs/suidsgid.cc
++++ b/src/test/libcephfs/suidsgid.cc
+@@ -134,6 +134,14 @@ void run_truncate_test_case(int mode, int result, size_t size, bool with_admin=f
+   ceph_close(_cmount, fd);
+ }
+ 
++void run_change_mode_test_case()
++{
++  char c_dir[1024];
++  sprintf(c_dir, "/mode_test_%d", getpid());
++  ASSERT_EQ(0, ceph_mkdirs(admin, c_dir, 0700));
++  ASSERT_EQ(ceph_chmod(cmount, c_dir, 0777), -CEPHFS_EPERM);
++}
++
+ TEST(SuidsgidTest, WriteClearSetuid) {
+   ASSERT_EQ(0, ceph_create(&admin, NULL));
+   ASSERT_EQ(0, ceph_conf_read_file(admin, NULL));
+@@ -206,6 +214,8 @@ TEST(SuidsgidTest, WriteClearSetuid) {
+   // 14, Truncate by unprivileged user clears the suid and sgid
+   run_truncate_test_case(06766, 0, 100);
+ 
++  run_change_mode_test_case();
++
+   // clean up
+   ceph_shutdown(cmount);
+   ceph_shutdown(admin);
diff --git a/ceph.spec b/ceph.spec
index 7b8fcc8..ffb96df 100644
--- a/ceph.spec
+++ b/ceph.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 #
 # spec file for package ceph
 #
@@ -127,6 +127,7 @@ Patch0039:	0039-src-common-dout.h.patch
 Patch0040:	0040-add-loongarch64-support-for-ceph-18.2.1.patch
 Patch0041:	0041-fix-close-can-not-be-find-in-TUDPTransport.cc.patch
 Patch0042:	0042-add-riscv64-support-for-ceph-18.2.1.patch
+Patch43:	43-bugfix-for-CVE-2025-52555.patch
 #################################################################################
 # dependencies that apply across all distro families
 #################################################################################
@@ -2026,6 +2027,9 @@ exit 0
 %{_datadir}/snmp/mibs
 
 %changelog
+* Wed Jul 16 2025 tomcruiseqi <tomcruiseqi@inspur.com> - 18.2.1-4
+- Fix CVE-2025-52555
+
 * Fri May 30 2025 Yihao Yan <yan.yihao@zte.com.cn> - 2:18.2.1-3
 - add support for riscv build
 
-- 
Gitee