Received: by 10.223.185.116 with SMTP id b49csp928136wrg; Wed, 21 Feb 2018 09:09:53 -0800 (PST) X-Google-Smtp-Source: AH8x226J2wx0Zbw5BjEGQ9vV3xoND2u/vnvA2Rb5Z0wCK20owXFDRq9tZMGmX8xr2MqUKodVqRPs X-Received: by 10.98.75.206 with SMTP id d75mr3966368pfj.77.1519232993027; Wed, 21 Feb 2018 09:09:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519232992; cv=none; d=google.com; s=arc-20160816; b=tbkuKBQNs6aGnoAM+80EunKFnPZPNfY9OsV+XVwM4nDHazXHuMfwKs7JmsGBMVQ3MT l4P4iTRqQUjcIebcKWpGoOU+kY+rVW/kmYz25tj/cVzwaTX2MHyGi41oG4Yqmed1mxDb JgU/hOQT06kwQbzl6cmmbHLlAhrsSZlOqytERc9sFZlVHQJujr7AiZdTmD8atp0rOTfk N2ydMU9NYUn8j0NaWaQg2L9RR60xZzdGB+BOF5sFZmDckrr0w0aI5jMKE+kPee2T66/E BdbODxsoccV2Ibh3wkZIdx8DqdwBtAnhlEYewVVxIj6UNNqTZXqMI9sf1Hk2NVnwBPEH I+LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=gNYWuvGFOLOjfQ1JJRPcLxHHlWzx3RMa/ptBAV9MNKU=; b=n8b0ylP87fftzJR5h0FRhpzkGrPaN0rrszLfWDzy2hpQfxPfwkD50IsfB6dvp5uX2C BfWNwk52DhoGtf8K2IamONO//oXoyxnQebpIVrkXg25pVKouNs2SFyWW5FJEdaPAg9ab /tmtcXgg9I+P2A+Jg4L2gFlqb5mqLzwUD/OYxNlbmM5onXvwbD/OUhJbyzMCb8kHDSBB KMCI33+nDl1uVK9IqPscqzVVZ/61DzHHSysIK12hp+negBIYn5ohpZqkYBM94pFNnFRJ 02eYLXIITVVKth7hfPpGTRKCjVkZ2+uMVP12SrzzWHsztLznr67Jj6XO3qZ3ENAIysUH CB0Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v6-v6si11364755plk.577.2018.02.21.09.09.27; Wed, 21 Feb 2018 09:09:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933954AbeBUMqj (ORCPT + 99 others); Wed, 21 Feb 2018 07:46:39 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:59960 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933905AbeBUMqg (ORCPT ); Wed, 21 Feb 2018 07:46:36 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E1288C8D; Wed, 21 Feb 2018 12:46:35 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Vyukov , Vegard Nossum , Al Viro , Linus Torvalds , Eric Biggers Subject: [PATCH 4.4 30/33] vfs: dont do RCU lookup of empty pathnames Date: Wed, 21 Feb 2018 13:45:13 +0100 Message-Id: <20180221124411.128121753@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180221124409.564661689@linuxfoundation.org> References: <20180221124409.564661689@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Linus Torvalds commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream. Normal pathname lookup doesn't allow empty pathnames, but using AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you can trigger an empty pathname lookup. And not only is the RCU lookup in that case entirely unnecessary (because we'll obviously immediately finalize the end result), it is actively wrong. Why? An empth path is a special case that will return the original 'dirfd' dentry - and that dentry may not actually be RCU-free'd, resulting in a potential use-after-free if we were to initialize the path lazily under the RCU read lock and depend on complete_walk() finalizing the dentry. Found by syzkaller and KASAN. Reported-by: Dmitry Vyukov Reported-by: Vegard Nossum Acked-by: Al Viro Signed-off-by: Linus Torvalds Cc: Eric Biggers Signed-off-by: Greg Kroah-Hartman --- fs/namei.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/namei.c +++ b/fs/namei.c @@ -2000,6 +2000,9 @@ static const char *path_init(struct name int retval = 0; const char *s = nd->name->name; + if (!*s) + flags &= ~LOOKUP_RCU; + nd->last_type = LAST_ROOT; /* if there are only slashes... */ nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT; nd->depth = 0;