From: Sasha Levin <sashal@kernel.org>
To: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: open list <linux-kernel@vger.kernel.org>,
linux- stable <stable@vger.kernel.org>,
Miklos Szeredi <mszeredi@redhat.com>,
linux-unionfs@vger.kernel.org, lkft-triage@lists.linaro.org
Subject: Re: [PATCH AUTOSEL 4.14 090/108] ovl: verify permissions in ovl_path_open()
Date: Tue, 23 Jun 2020 13:16:13 -0400 [thread overview]
Message-ID: <20200623171613.GB1931@sasha-vm> (raw)
In-Reply-To: <CA+G9fYuBGRz9=Q5KyCat0qk_8aiGvNsreY05rcGSjMZpvM1FJg@mail.gmail.com>
On Tue, Jun 23, 2020 at 08:55:38PM +0530, Naresh Kamboju wrote:
>On Thu, 18 Jun 2020 at 07:18, Sasha Levin <sashal@kernel.org> wrote:
>>
>> From: Miklos Szeredi <mszeredi@redhat.com>
>>
>> [ Upstream commit 56230d956739b9cb1cbde439d76227d77979a04d ]
>>
>> Check permission before opening a real file.
>>
>> ovl_path_open() is used by readdir and copy-up routines.
>>
>> ovl_permission() theoretically already checked copy up permissions, but it
>> doesn't hurt to re-do these checks during the actual copy-up.
>>
>> For directory reading ovl_permission() only checks access to topmost
>> underlying layer. Readdir on a merged directory accesses layers below the
>> topmost one as well. Permission wasn't checked for these layers.
>>
>> Note: modifying ovl_permission() to perform this check would be far more
>> complex and hence more bug prone. The result is less precise permissions
>> returned in access(2). If this turns out to be an issue, we can revisit
>> this bug.
>>
>> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>> fs/overlayfs/util.c | 27 ++++++++++++++++++++++++++-
>> 1 file changed, 26 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
>> index afdc2533ce74..76d6610767f6 100644
>> --- a/fs/overlayfs/util.c
>> +++ b/fs/overlayfs/util.c
>> @@ -307,7 +307,32 @@ bool ovl_is_whiteout(struct dentry *dentry)
>>
>> struct file *ovl_path_open(struct path *path, int flags)
>> {
>> - return dentry_open(path, flags | O_NOATIME, current_cred());
>> + struct inode *inode = d_inode(path->dentry);
>> + int err, acc_mode;
>> +
>> + if (flags & ~(O_ACCMODE | O_LARGEFILE))
>> + BUG();
>> +
>> + switch (flags & O_ACCMODE) {
>> + case O_RDONLY:
>> + acc_mode = MAY_READ;
>> + break;
>> + case O_WRONLY:
>> + acc_mode = MAY_WRITE;
>> + break;
>> + default:
>> + BUG();
>
>This BUG: triggered on stable-rc 5.7, 5.4, 4.19 and 4.14.
>
>steps to reproduce:
> - cd /opt/ltp
> - ./runltp -s execveat03
Yup, that patch has been dropped, thanks for testing!
--
Thanks,
Sasha
next prev parent reply other threads:[~2020-06-23 17:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618012600.608744-1-sashal@kernel.org>
2020-06-18 1:25 ` [PATCH AUTOSEL 4.14 090/108] ovl: verify permissions in ovl_path_open() Sasha Levin
2020-06-23 15:25 ` Naresh Kamboju
2020-06-23 17:16 ` Sasha Levin [this message]
2020-06-23 18:28 ` Naresh Kamboju
2020-06-23 18:59 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200623171613.GB1931@sasha-vm \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=lkft-triage@lists.linaro.org \
--cc=mszeredi@redhat.com \
--cc=naresh.kamboju@linaro.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).