Received: by 10.223.185.116 with SMTP id b49csp691390wrg; Wed, 21 Feb 2018 05:28:55 -0800 (PST) X-Google-Smtp-Source: AH8x227sOyhtycM1jjD177M9d+/ksU1kxvpw9y4dsX0B06FXpcm7s0ML90qRurFJu90U3Yj+DOxc X-Received: by 10.98.209.8 with SMTP id z8mr3335817pfg.240.1519219735128; Wed, 21 Feb 2018 05:28:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519219735; cv=none; d=google.com; s=arc-20160816; b=Qx53O0xi9AvL6jvGQLXGQBLgUrZSSbXissUiySz1HciMpwR+kUe67Y32JxzOb/N8Z5 Fxe0T2lUUGqfJZeCvdGOCaKjzmdnhasdFhWw+Jcqlkumu2T1xlBWpcpl5ivGP70Ueaei 7DvTu2lLlJWE2A+AReGDSzuUAvHKAeMFyb7NX1p18i3FZCuck/DV0H7QFsoygzOA7RdU 40hrKC1Yo7LH7QA9TaUJnaIOaDBYpDicwzhegEdLVMI2uZGaj62C+ODM4vey+vu/JkYD A9koBzrZNxM2l3nQmuFh6J99TUFxn7/k7wdQIm2/FITWieBCm+cS873bsNRclw3ddwCZ BypA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=JpcKYMmXQa9W76v+oLKtF0wnFsZ5oyZJySS0t3+Zp84=; b=oijhnlhCHL+Eoe5FBrnoFYciUVMNDmqExTQQ3GcsNgqRPr179YJZm1edruHYZ2iKde ydvE89PP75IhkxQs6MKTnCBmV8lzbcSFCXGdVb0LQ0Ug/vzacUQ9TiMxQ6EBs5A/y7kG WACXODH9BTqEoMm7WvlpjuMVdzx/qT/7AiW+f6gTHpQk/6l733iU6o4CpIjdopoGjDVs 1FPBEW8/X0EfRN1pNqntXxL8U1OGQB3C75cxQTZtW2v1FoaccXnnKp946IYytvtXIdsW L46gtZfinfDpYgZ41ydzkskGbALr6xDeJhMTclKUY6PVSxtc+3RUQ5M/13YrWcwm0EoI 8hug== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u19si1327289pgv.195.2018.02.21.05.28.40; Wed, 21 Feb 2018 05:28:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934599AbeBUM5H (ORCPT + 99 others); Wed, 21 Feb 2018 07:57:07 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:35650 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932701AbeBUM5E (ORCPT ); Wed, 21 Feb 2018 07:57:04 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id B52FE94F; Wed, 21 Feb 2018 12:57:03 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Vyukov , Vegard Nossum , Al Viro , Linus Torvalds , Eric Biggers Subject: [PATCH 4.9 68/77] vfs: dont do RCU lookup of empty pathnames Date: Wed, 21 Feb 2018 13:49:17 +0100 Message-Id: <20180221124435.068113114@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180221124432.172390020@linuxfoundation.org> References: <20180221124432.172390020@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Linus Torvalds commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream. Normal pathname lookup doesn't allow empty pathnames, but using AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you can trigger an empty pathname lookup. And not only is the RCU lookup in that case entirely unnecessary (because we'll obviously immediately finalize the end result), it is actively wrong. Why? An empth path is a special case that will return the original 'dirfd' dentry - and that dentry may not actually be RCU-free'd, resulting in a potential use-after-free if we were to initialize the path lazily under the RCU read lock and depend on complete_walk() finalizing the dentry. Found by syzkaller and KASAN. Reported-by: Dmitry Vyukov Reported-by: Vegard Nossum Acked-by: Al Viro Signed-off-by: Linus Torvalds Cc: Eric Biggers Signed-off-by: Greg Kroah-Hartman --- fs/namei.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/namei.c +++ b/fs/namei.c @@ -2138,6 +2138,9 @@ static const char *path_init(struct name int retval = 0; const char *s = nd->name->name; + if (!*s) + flags &= ~LOOKUP_RCU; + nd->last_type = LAST_ROOT; /* if there are only slashes... */ nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT; nd->depth = 0;