From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755266AbcH1FoD (ORCPT ); Sun, 28 Aug 2016 01:44:03 -0400 Received: from imap.thunk.org ([74.207.234.97]:44664 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751220AbcH1FoC (ORCPT ); Sun, 28 Aug 2016 01:44:02 -0400 Date: Sun, 28 Aug 2016 01:13:30 -0400 From: "Theodore Ts'o" To: Chao Yu Cc: jaegeuk@kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, Chao Yu Subject: Re: [PATCH] fscrypto: fix to null-terminate encrypted filename in fname_encrypt Message-ID: <20160828051330.7kyhhvvxitghshi7@thunk.org> Mail-Followup-To: Theodore Ts'o , Chao Yu , jaegeuk@kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, Chao Yu References: <1472346808-3213-1-git-send-email-chao@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1472346808-3213-1-git-send-email-chao@kernel.org> User-Agent: Mutt/1.6.2-neo (2016-07-23) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 28, 2016 at 09:13:28AM +0800, Chao Yu wrote: > From: Chao Yu > > This patch fixes to add null character at the end of encrypted filename > in fname_encrypt, in order to avoid incorrectly traversing random data > located after target filename. The call stack is as below: > > - f2fs_add_link > - __f2fs_add_link > - fscrypt_setup_filename > - fscrypt_fname_alloc_buffer allocate buffer for @fname > - fname_encrypt didn't set null character for @fname > - f2fs_add_regular_entry init qstr with @fname > - init_inode_metadata > - f2fs_init_security > - security_inode_init_security > - selinux_inode_init_security > - selinux_determine_inode_label > - security_transition_sid > - security_compute_sid > - filename_compute_type > - hashtab_search > - filenametr_hash traverse @fname as one which has null character The problem is not in fname_encrypt(), but rather that security_inode_init_security() should be given the _unencrypted_ filename. In ext4 security_inode_init_security() is called with the qstr from the dentry, not the encrypted qstr --- in fact we call security_inode_init_security before we call fname_encrypt. SELinux needs the unencrypted filename in order to decide which SELinux rules / labels should apply. - Ted