* FAILED: patch "[PATCH] ovl: fix missing negative dentry check in ovl_rename()" failed to apply to 4.4-stable tree
@ 2021-10-09 13:55 gregkh
2021-10-22 0:16 ` [PATCH] ovl: fix missing negative dentry check in ovl_rename() Masami Ichikawa(CIP)
0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2021-10-09 13:55 UTC (permalink / raw)
To: zhengliang6, mszeredi, stable; +Cc: stable
The patch below does not apply to the 4.4-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From a295aef603e109a47af355477326bd41151765b6 Mon Sep 17 00:00:00 2001
From: Zheng Liang <zhengliang6@huawei.com>
Date: Fri, 24 Sep 2021 09:16:27 +0800
Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename()
The following reproducer
mkdir lower upper work merge
touch lower/old
touch lower/new
mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
rm merge/new
mv merge/old merge/new & unlink upper/new
may result in this race:
PROCESS A:
rename("merge/old", "merge/new");
overwrite=true,ovl_lower_positive(old)=true,
ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
PROCESS B:
unlink("upper/new");
PROCESS A:
lookup newdentry in new_upperdir
call vfs_rename() with negative newdentry and RENAME_EXCHANGE
Fix by adding the missing check for negative newdentry.
Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
Fixes: e9be9d5e76e3 ("overlay filesystem")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 1fefb2b8960e..93c7c267de93 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -1219,9 +1219,13 @@ static int ovl_rename(struct user_namespace *mnt_userns, struct inode *olddir,
goto out_dput;
}
} else {
- if (!d_is_negative(newdentry) &&
- (!new_opaque || !ovl_is_whiteout(newdentry)))
- goto out_dput;
+ if (!d_is_negative(newdentry)) {
+ if (!new_opaque || !ovl_is_whiteout(newdentry))
+ goto out_dput;
+ } else {
+ if (flags & RENAME_EXCHANGE)
+ goto out_dput;
+ }
}
if (olddentry == trap)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] ovl: fix missing negative dentry check in ovl_rename()
2021-10-09 13:55 FAILED: patch "[PATCH] ovl: fix missing negative dentry check in ovl_rename()" failed to apply to 4.4-stable tree gregkh
@ 2021-10-22 0:16 ` Masami Ichikawa(CIP)
2021-10-24 11:50 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Masami Ichikawa(CIP) @ 2021-10-22 0:16 UTC (permalink / raw)
To: gregkh; +Cc: mszeredi, stable, zhengliang6, Masami Ichikawa
From: Zheng Liang <zhengliang6@huawei.com>
From: Zheng Liang <zhengliang6@huawei.com>
commit a295aef603e109a47af355477326bd41151765b6 upstream.
The following reproducer
mkdir lower upper work merge
touch lower/old
touch lower/new
mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
rm merge/new
mv merge/old merge/new & unlink upper/new
may result in this race:
PROCESS A:
rename("merge/old", "merge/new");
overwrite=true,ovl_lower_positive(old)=true,
ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
PROCESS B:
unlink("upper/new");
PROCESS A:
lookup newdentry in new_upperdir
call vfs_rename() with negative newdentry and RENAME_EXCHANGE
Fix by adding the missing check for negative newdentry.
Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
Fixes: e9be9d5e76e3 ("overlay filesystem")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reference: CVE-2021-20321
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
fs/overlayfs/dir.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index eedacae889b9..80bf0ab52e81 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
}
} else {
new_create = true;
- if (!d_is_negative(newdentry) &&
- (!new_opaque || !ovl_is_whiteout(newdentry)))
- goto out_dput;
+ if (!d_is_negative(newdentry)) {
+ if (!new_opaque || !ovl_is_whiteout(newdentry))
+ goto out_dput;
+ } else {
+ if (flags & RENAME_EXCHANGE)
+ goto out_dput;
+ }
}
if (olddentry == trap)
--
2.33.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ovl: fix missing negative dentry check in ovl_rename()
2021-10-22 0:16 ` [PATCH] ovl: fix missing negative dentry check in ovl_rename() Masami Ichikawa(CIP)
@ 2021-10-24 11:50 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2021-10-24 11:50 UTC (permalink / raw)
To: Masami Ichikawa(CIP); +Cc: mszeredi, stable, zhengliang6, Masami Ichikawa
On Fri, Oct 22, 2021 at 09:16:05AM +0900, Masami Ichikawa(CIP) wrote:
> From: Zheng Liang <zhengliang6@huawei.com>
>
> From: Zheng Liang <zhengliang6@huawei.com>
>
> commit a295aef603e109a47af355477326bd41151765b6 upstream.
>
> The following reproducer
>
> mkdir lower upper work merge
> touch lower/old
> touch lower/new
> mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
> rm merge/new
> mv merge/old merge/new & unlink upper/new
>
> may result in this race:
>
> PROCESS A:
> rename("merge/old", "merge/new");
> overwrite=true,ovl_lower_positive(old)=true,
> ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
>
> PROCESS B:
> unlink("upper/new");
>
> PROCESS A:
> lookup newdentry in new_upperdir
> call vfs_rename() with negative newdentry and RENAME_EXCHANGE
>
> Fix by adding the missing check for negative newdentry.
>
> Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
> Fixes: e9be9d5e76e3 ("overlay filesystem")
> Cc: <stable@vger.kernel.org> # v3.18
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> Reference: CVE-2021-20321
> Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
> ---
> fs/overlayfs/dir.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
> index eedacae889b9..80bf0ab52e81 100644
> --- a/fs/overlayfs/dir.c
> +++ b/fs/overlayfs/dir.c
> @@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
> }
> } else {
> new_create = true;
> - if (!d_is_negative(newdentry) &&
> - (!new_opaque || !ovl_is_whiteout(newdentry)))
> - goto out_dput;
> + if (!d_is_negative(newdentry)) {
> + if (!new_opaque || !ovl_is_whiteout(newdentry))
> + goto out_dput;
> + } else {
> + if (flags & RENAME_EXCHANGE)
> + goto out_dput;
> + }
> }
>
> if (olddentry == trap)
> --
> 2.33.0
>
Now queued up for 4.4.y, thanks!
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-24 11:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-09 13:55 FAILED: patch "[PATCH] ovl: fix missing negative dentry check in ovl_rename()" failed to apply to 4.4-stable tree gregkh
2021-10-22 0:16 ` [PATCH] ovl: fix missing negative dentry check in ovl_rename() Masami Ichikawa(CIP)
2021-10-24 11:50 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.