From: Jann Horn <jannh@google.com>
To: Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
Matt Turner <mattst88@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, jannh@google.com
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
"Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
linux-alpha@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] fs: don't let getdents return bogus names
Date: Mon, 16 Jul 2018 21:48:43 +0200 [thread overview]
Message-ID: <20180716194843.252772-1-jannh@google.com> (raw)
When you e.g. run `find` on a directory for which getdents returns
"filenames" that contain slashes, `find` passes those "filenames" back to
the kernel, which then interprets them as paths. That could conceivably
cause userspace to do something bad when accessing something like an
untrusted USB stick, but I'm not aware of any specific example.
Instead of returning bogus filenames to userspace, return -EUCLEAN.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
I didn't get any replies to my mail "readdir() and directory names
containing slashes" from a few days ago, so here's a suggested fix.
As often, I'm not entirely sure whether this should be marked for stable
backport.
Does anyone want to bikeshed the choice of error number? ext4 uses
-EUCLEAN (aliased as -EFSCORRUPTED) for signalling filesystem corruption;
I think vfat just skips errors; fuse uses -EIO for this specific problem.
Behavior of "find" when encountering such filesystem corruption:
$ sudo mount img mnt
$ strace -v -e trace=getdents ls mnt
getdents(3, [{d_ino=1, d_off=1, d_reclen=24, d_name=".", d_type=DT_DIR}, {d_ino=1, d_off=2, d_reclen=24, d_name="..", d_type=DT_DIR}, {d_ino=67, d_off=16384, d_reclen=32, d_name="../../xx", d_type=DT_DIR}], 32768) = 80
getdents(3, [], 32768) = 0
+++ exited with 0 +++
$ find ../xx -ls
406454 4 drwxr-xr-x 3 user user 4096 Jul 16 20:48 ../xx
406455 4 drwxr-xr-x 2 user user 4096 Jul 16 20:48 ../xx/blah
406457 0 -rw-r--r-- 1 user user 0 Jul 16 20:48 ../xx/blah/bar
$ find mnt -ls
1 16 drwxr-xr-x 3 root root 16384 Jan 1 1970 mnt
406454 4 drwxr-xr-x 3 user user 4096 Jul 16 20:48 mnt/../../xx
406455 4 drwxr-xr-x 2 user user 4096 Jul 16 20:48 mnt/../../xx/blah
406457 0 -rw-r--r-- 1 user user 0 Jul 16 20:48 mnt/../../xx/blah/bar
arch/alpha/kernel/osf_sys.c | 3 +++
fs/readdir.c | 33 +++++++++++++++++++++++++++++++++
include/linux/fs.h | 3 +++
3 files changed, 39 insertions(+)
diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
index 6e921754c8fc..f16857d9782d 100644
--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -40,6 +40,7 @@
#include <linux/vfs.h>
#include <linux/rcupdate.h>
#include <linux/slab.h>
+#include <linux/fs.h>
#include <asm/fpu.h>
#include <asm/io.h>
@@ -117,6 +118,8 @@ osf_filldir(struct dir_context *ctx, const char *name, int namlen,
unsigned int reclen = ALIGN(NAME_OFFSET + namlen + 1, sizeof(u32));
unsigned int d_ino;
+ if (bogus_dirent_name(&buf->error, name, namlen, __func__))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail */
if (reclen > buf->count)
return -EINVAL;
diff --git a/fs/readdir.c b/fs/readdir.c
index d97f548e6323..a061a52b06d1 100644
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -88,6 +88,29 @@ struct readdir_callback {
int result;
};
+/*
+ * Most filesystems don't filter out bogus directory entry names, and userspace
+ * can get very confused by such names. Behave as if a low-level IO error had
+ * happened while reading directory entries.
+ */
+bool bogus_dirent_name(int *errp, const char *name, int namlen,
+ const char *caller)
+{
+ if (namlen == 0) {
+ pr_err_once("%s: filesystem returned bogus empty name\n",
+ caller);
+ *errp = -EUCLEAN;
+ return true;
+ }
+ if (memchr(name, '/', namlen)) {
+ pr_err_once("%s: filesystem returned bogus name '%*pEhp' (contains slash)\n",
+ caller, namlen, name);
+ *errp = -EUCLEAN;
+ return true;
+ }
+ return false;
+}
+
static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
loff_t offset, u64 ino, unsigned int d_type)
{
@@ -98,6 +121,8 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
if (buf->result)
return -EINVAL;
+ if (bogus_dirent_name(&buf->result, name, namlen, __func__))
+ return -EUCLEAN;
d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->result = -EOVERFLOW;
@@ -173,6 +198,8 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
sizeof(long));
+ if (bogus_dirent_name(&buf->error, name, namlen, __func__))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -259,6 +286,8 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
sizeof(u64));
+ if (bogus_dirent_name(&buf->error, name, namlen, __func__))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -358,6 +387,8 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
if (buf->result)
return -EINVAL;
+ if (bogus_dirent_name(&buf->result, name, namlen, __func__))
+ return -EUCLEAN;
d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->result = -EOVERFLOW;
@@ -427,6 +458,8 @@ static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
namlen + 2, sizeof(compat_long_t));
+ if (bogus_dirent_name(&buf->error, name, namlen, __func__))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index d78d146a98da..5d12a40bcc0c 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1680,6 +1680,9 @@ struct dir_context {
loff_t pos;
};
+bool bogus_dirent_name(int *errp, const char *name, int namlen,
+ const char *caller);
+
struct block_device_operations;
/* These macros are for out of kernel modules to test that
--
2.18.0.203.gfac676dfb9-goog
next reply other threads:[~2018-07-16 19:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-16 19:48 Jann Horn [this message]
2018-07-16 19:56 ` [PATCH] fs: don't let getdents return bogus names Al Viro
2018-07-16 20:20 ` Jann Horn
2018-07-19 0:50 ` Dave Chinner
2018-07-29 11:37 ` Pavel Machek
2018-07-16 21:47 ` kbuild test robot
2018-07-16 21:47 ` kbuild test robot
2018-07-16 21:47 ` kbuild test robot
2018-07-16 21:47 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180716194843.252772-1-jannh@google.com \
--to=jannh@google.com \
--cc=adilger.kernel@dilger.ca \
--cc=ebiederm@xmission.com \
--cc=ink@jurassic.park.msu.ru \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=rth@twiddle.net \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.