Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752825AbdCHMNE (ORCPT ); Wed, 8 Mar 2017 07:13:04 -0500 Received: from szxga03-in.huawei.com ([45.249.212.189]:3944 "EHLO dggrg03-dlp.huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1750770AbdCHMMs (ORCPT ); Wed, 8 Mar 2017 07:12:48 -0500 From: Chao Yu To: CC: , , , Chao Yu Subject: [PATCH] f2fs: don't allow rename unencrypted file to encrypted directory Date: Wed, 8 Mar 2017 20:08:20 +0800 Message-ID: <20170308120820.86785-1-yuchao0@huawei.com> X-Mailer: git-send-email 2.8.2.295.g3f1c1d0 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.120.216.130] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.58BFF444.036A,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: c4c712af334eaa4c7198049cedf45ea5 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1100 Lines: 31 In commit d9cdc9033181 ("ext4 crypto: enforce context consistency") we declared that: 2) All files or directories in a directory must be protected using the same key as their containing directory. But in f2fs_cross_rename there is a vulnerability that allow to cross rename unencrypted file into encrypted directory, it needs to be refused. Signed-off-by: Chao Yu --- fs/f2fs/namei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index 25c073f6c7d4..8de684b84cb9 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -855,6 +855,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, !fscrypt_has_encryption_key(new_dir))) return -ENOKEY; + if (f2fs_encrypted_inode(old_dir) && !f2fs_encrypted_inode(new_inode) || + f2fs_encrypted_inode(new_dir) && !f2fs_encrypted_inode(old_inode)) + return -EPERM; + if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) && (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old_inode) || -- 2.8.2.295.g3f1c1d0