readdir() and directory names containing slashes

readdir() and directory names containing slashes

[Jann Horn]

Hi!

The kernel doesn't seem to filter slashes out of directory names
coming from the disk (with the exception of a few specific
filesystems, like FUSE):

# touch fatimg
# truncate --size=40M fatimg
# mkfs.fat fatimg
mkfs.fat 4.1 (2017-01-24)
# mkdir mount
# mount fatimg mount
# touch mount/FOOBAR
# umount mount
# sed -i 's|FOOBAR|FO/BAR|' fatimg
# mount fatimg mount
# strace -v -e trace=getdents,lstat ls -l mount
lstat("mount", {st_dev=makedev(7, 0), st_ino=1, st_mode=S_IFDIR|0755,
st_nlink=2, st_uid=0, st_gid=0, st_blksize=2048, st_blocks=32,
st_size=16384, st_atime=0, st_atime_nsec=0, st_mtime=0,
st_mtime_nsec=0, st_ctime=0, st_ctime_nsec=0}) = 0
getdents(3, [{d_ino=1, d_off=1, d_reclen=24, d_name=".",
d_type=DT_DIR}, {d_ino=1, d_off=2, d_reclen=24, d_name="..",
d_type=DT_DIR}, {d_ino=267, d_off=16384, d_reclen=32, d_name="FO/BAR",
d_type=DT_REG}], 32768) = 80
lstat("mount/FO/BAR", 0x5603c71ee1a8)   = -1 ENOENT (No such file or directory)
ls: cannot access 'mount/FO/BAR': No such file or directory
getdents(3, [], 32768)                  = 0
total 0
-????????? ? ? ? ?            ? FO/BAR
+++ exited with 1 +++

I think it would be reasonable for the VFS layer to block this - if
someone puts something like "../../etc" in a filename, userspace could
get pretty confused.

AFAICS the simple way to deal with this would be to patch dir_emit()
to do something like this:

if (WARN_ON_ONCE(memchr(name, '/', namelen))) return true;

... but then readdir() won't indicate to userspace that the kernel
omitted a (bad) directory entry. A cleaner way might be to patch all
the ->actor handlers to do the check and propagate the error
appropriately, but then the checks would have to be placed in more
places... which also doesn't seem very clean.

Al, you probably have opinions on this?