From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.10 051/103] readdir: make sure to verify directory entry for legacy interfaces too
Date: Mon, 19 Apr 2021 15:06:02 +0200 [thread overview]
Message-ID: <20210419130529.569975633@linuxfoundation.org> (raw)
In-Reply-To: <20210419130527.791982064@linuxfoundation.org>
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 0c93ac69407d63a85be0129aa55ffaec27ffebd3 upstream.
This does the directory entry name verification for the legacy
"fillonedir" (and compat) interface that goes all the way back to the
dark ages before we had a proper dirent, and the readdir() system call
returned just a single entry at a time.
Nobody should use this interface unless you still have binaries from
1991, but let's do it right.
This came up during discussions about unsafe_copy_to_user() and proper
checking of all the inputs to it, as the networking layer is looking to
use it in a few new places. So let's make sure the _old_ users do it
all right and proper, before we add new ones.
See also commit 8a23eb804ca4 ("Make filldir[64]() verify the directory
entry filename is valid") which did the proper modern interfaces that
people actually use. It had a note:
Note that I didn't bother adding the checks to any legacy interfaces
that nobody uses.
which this now corrects. Note that we really don't care about POSIX and
the presense of '/' in a directory entry, but verify_dirent_name() also
ends up doing the proper name length verification which is what the
input checking discussion was about.
[ Another option would be to remove the support for this particular very
old interface: any binaries that use it are likely a.out binaries, and
they will no longer run anyway since we removed a.out binftm support
in commit eac616557050 ("x86: Deprecate a.out support").
But I'm not sure which came first: getdents() or ELF support, so let's
pretend somebody might still have a working binary that uses the
legacy readdir() case.. ]
Link: https://lore.kernel.org/lkml/CAHk-=wjbvzCAhAtvG0d81W5o0-KT5PPTHhfJ5ieDFq+bGtgOYg@mail.gmail.com/
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/readdir.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -150,6 +150,9 @@ static int fillonedir(struct dir_context
if (buf->result)
return -EINVAL;
+ buf->result = verify_dirent_name(name, namlen);
+ if (buf->result < 0)
+ return buf->result;
d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->result = -EOVERFLOW;
@@ -405,6 +408,9 @@ static int compat_fillonedir(struct dir_
if (buf->result)
return -EINVAL;
+ buf->result = verify_dirent_name(name, namlen);
+ if (buf->result < 0)
+ return buf->result;
d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->result = -EOVERFLOW;
next prev parent reply other threads:[~2021-04-19 13:27 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-19 13:05 [PATCH 5.10 000/103] 5.10.32-rc1 review Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 001/103] net/sctp: fix race condition in sctp_destroy_sock Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 002/103] mtd: rawnand: mtk: Fix WAITRDY break condition and timeout Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 003/103] Input: nspire-keypad - enable interrupts only when opened Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 004/103] gpio: sysfs: Obey valid_mask Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 005/103] dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 006/103] dmaengine: idxd: fix delta_rec and crc size field for completion record Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 007/103] dmaengine: idxd: fix opcap sysfs attribute output Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 008/103] dmaengine: idxd: fix wq size store permission state Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 009/103] dmaengine: dw: Make it dependent to HAS_IOMEM Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 010/103] dmaengine: Fix a double free in dma_async_device_register Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 011/103] dmaengine: plx_dma: add a missing put_device() on error path Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 012/103] dmaengine: idxd: fix wq cleanup of WQCFG registers Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 013/103] ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 014/103] ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 015/103] ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 016/103] lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 017/103] arc: kernel: Return -EFAULT if copy_to_user() fails Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 018/103] iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 019/103] xfrm: BEET mode doesnt support fragments for inner packets Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 020/103] ASoC: max98373: Changed amp shutdown register as volatile Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 021/103] ASoC: max98373: Added 30ms turn on/off time delay Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 022/103] gpu/xen: Fix a use after free in xen_drm_drv_init Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 023/103] neighbour: Disregard DEAD dst in neigh_update Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 024/103] ARM: keystone: fix integer overflow warning Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 025/103] ARM: omap1: fix building with clang IAS Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 026/103] drm/msm: Fix a5xx/a6xx timestamps Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 027/103] ASoC: fsl_esai: Fix TDM slot setup for I2S mode Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 028/103] scsi: scsi_transport_srp: Dont block target in SRP_PORT_LOST state Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 029/103] iwlwifi: add support for Qu with AX201 device Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 030/103] net: ieee802154: stop dump llsec keys for monitors Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 031/103] net: ieee802154: forbid monitor for add llsec key Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 032/103] net: ieee802154: forbid monitor for del " Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 033/103] net: ieee802154: stop dump llsec devs for monitors Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 034/103] net: ieee802154: forbid monitor for add llsec dev Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 035/103] net: ieee802154: forbid monitor for del " Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 036/103] net: ieee802154: stop dump llsec devkeys for monitors Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 037/103] net: ieee802154: forbid monitor for add llsec devkey Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 038/103] net: ieee802154: forbid monitor for del " Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 039/103] net: ieee802154: stop dump llsec seclevels for monitors Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 040/103] net: ieee802154: forbid monitor for add llsec seclevel Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 041/103] pcnet32: Use pci_resource_len to validate PCI resource Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 042/103] net/rds: Avoid potential use after free in rds_send_remove_from_sock Greg Kroah-Hartman
2021-04-19 21:29 ` Pavel Machek
2021-04-20 7:21 ` Greg Kroah-Hartman
2021-04-20 7:13 ` Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 043/103] net: tipc: Fix spelling errors in net/tipc module Greg Kroah-Hartman
2021-04-19 21:32 ` Pavel Machek
2021-04-20 7:34 ` Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 044/103] mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 045/103] virt_wifi: Return micros for BSS TSF values Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 046/103] lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 047/103] Input: s6sy761 - fix coordinate read bit shift Greg Kroah-Hartman
2021-04-19 13:05 ` [PATCH 5.10 048/103] Input: i8042 - fix Pegatron C15B ID entry Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 049/103] HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 050/103] dm verity fec: fix misaligned RS roots IO Greg Kroah-Hartman
2021-04-19 13:06 ` Greg Kroah-Hartman [this message]
2021-04-19 13:06 ` [PATCH 5.10 052/103] arm64: fix inline asm in load_unaligned_zeropad() Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 053/103] arm64: alternatives: Move length validation in alternative_{insn, endif} Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 054/103] vfio/pci: Add missing range check in vfio_pci_mmap Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 055/103] riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM" Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 056/103] scsi: libsas: Reset num_scatter if libata marks qc as NODATA Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 057/103] ixgbe: fix unbalanced device enable/disable in suspend/resume Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 058/103] netfilter: flowtable: fix NAT IPv6 offload mangling Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 059/103] netfilter: conntrack: do not print icmpv6 as unknown via /proc Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 060/103] ice: Fix potential infinite loop when using u8 loop counter Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 061/103] libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 062/103] netfilter: bridge: add pre_exit hooks for ebtable unregistration Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 063/103] netfilter: arp_tables: add pre_exit hook for table unregister Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 064/103] libbpf: Fix potential NULL pointer dereference Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 065/103] net: macb: fix the restore of cmp registers Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 066/103] net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 067/103] netfilter: nft_limit: avoid possible divide error in nft_limit_init Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 068/103] net/mlx5e: Fix setting of RS FEC mode Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 069/103] net: davicom: Fix regulator not turned off on failed probe Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 070/103] net: sit: Unregister catch-all devices Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 071/103] net: ip6_tunnel: " Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 072/103] mm: ptdump: fix build failure Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 073/103] net: Make tcp_allowed_congestion_control readonly in non-init netns Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 074/103] i40e: fix the panic when running bpf in xdpdrv mode Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 075/103] ethtool: pause: make sure we init driver stats Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 076/103] ia64: remove duplicate entries in generic_defconfig Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 077/103] ia64: tools: remove inclusion of ia64-specific version of errno.h header Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 078/103] ibmvnic: avoid calling napi_disable() twice Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 079/103] ibmvnic: remove duplicate napi_schedule call in do_reset function Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 080/103] ibmvnic: remove duplicate napi_schedule call in open function Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 081/103] ch_ktls: Fix kernel panic Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 082/103] ch_ktls: fix device connection close Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 083/103] ch_ktls: tcb close causes tls connection failure Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 084/103] ch_ktls: do not send snd_una update to TCB in middle Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 085/103] gro: ensure frag0 meets IP header alignment Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 086/103] ARM: OMAP2+: Fix warning for omap_init_time_of() Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 087/103] ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to for_each_mem_range() Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 088/103] ARM: footbridge: fix PCI interrupt mapping Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 089/103] ARM: OMAP2+: Fix uninitialized sr_inst Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 090/103] arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 091/103] arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 092/103] bpf: Use correct permission flag for mixed signed bounds arithmetic Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 093/103] KVM: VMX: Convert vcpu_vmx.exit_reason to a union Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 094/103] KVM: VMX: Dont use vcpu->run->internal.ndata as an array index Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 095/103] r8169: tweak max read request size for newer chips also in jumbo mtu mode Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 096/103] r8169: dont advertise pause in jumbo mode Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 097/103] bpf: Ensure off_reg has no mixed signed bounds for all types Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 098/103] bpf: Move off_reg into sanitize_ptr_alu Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 099/103] ARM: 9071/1: uprobes: Dont hook on thumb instructions Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 100/103] arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 101/103] bpf: Rework ptr_limit into alu_limit and add common error path Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 102/103] bpf: Improve verifier error messages for users Greg Kroah-Hartman
2021-04-19 13:06 ` [PATCH 5.10 103/103] bpf: Move sanitize_val_alu out of op switch Greg Kroah-Hartman
2021-04-19 17:27 ` [PATCH 5.10 000/103] 5.10.32-rc1 review Fox Chen
2021-04-19 19:16 ` Patrick Mccormick
2021-04-23 15:10 ` Greg Kroah-Hartman
2021-04-19 21:07 ` Florian Fainelli
2021-04-23 15:11 ` Greg Kroah-Hartman
2021-04-19 21:30 ` Pavel Machek
2021-04-23 15:11 ` Greg Kroah-Hartman
2021-04-20 0:08 ` Shuah Khan
2021-04-20 6:13 ` Jon Hunter
2021-04-20 6:50 ` Naresh Kamboju
2021-04-20 9:15 ` Sudip Mukherjee
2021-04-23 15:12 ` Greg Kroah-Hartman
2021-04-20 11:54 ` Andrei Rabusov
2021-04-23 15:12 ` Greg Kroah-Hartman
2021-04-21 6:20 ` Samuel Zou
2021-04-23 15:13 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210419130529.569975633@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.