Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp1414317imm; Thu, 5 Jul 2018 22:57:54 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe/p23pYPC7vCBlYbPX+HjO0GadMcFRIsh3kQU4Fj0Noved7YNUrzZqwYHPWCBNrIbXFC/F X-Received: by 2002:a63:943:: with SMTP id 64-v6mr8083465pgj.368.1530856674056; Thu, 05 Jul 2018 22:57:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530856674; cv=none; d=google.com; s=arc-20160816; b=S14SOXYeBHDJ0yvKqxIMlPTiH5DbGu6zzDl9OPQeE4RkTAsPole6wI96AufYMxJLVD pn2AsvIQpjwXyfklDk8oszaQgPwE19UJ03ZTdQX/QtqHb0GCzAdzzeQUcTTKIfKY4BEt FSwIFbetxlbUYRFnZo4eGHGTOz3gSoSdI6tXBVfPsrtgZfgRJXvz069QAsow1CIdvLD5 O4MW8F9U0SF9AlJlF5wlSAtd7e/o+Sz+G3I542ri1r1y0HOfqo7Okz2GEwLNem54WZw2 lE7PNVhwsKENz520WG1LninuznU/Z6TszqsLAwnydzneZnzg5E+FGhl4KTX9OMfOGqHR +Wrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=jds6oDVCEVtz8hhzCqqIuia0v5eOsBwnMICMFeyQtKA=; b=AGuunUkHy62S2QeZTeZDyJPRgsvi1nALadQRIsRcuMh2iMxqFu0JgVQHbJnu8wQ5mQ WRIOaTGbbvPp3NAF/45/YmyUJSjpJ8dttgBZz0MHZdnKSs9EhqLFHEMRiStHcKdqQrtl mtMfDhoT3B3XrVf8MjTARYlyC+5gUw7PCfbU/4ZUg+niNg54RFxdwLJr984WAJQpumw1 A9/giY0SqAzGzHPd+jjM3FsTnWJne0a8YaPThXr2B1UHEjs9ybPGjSEiTjZ0xZ3aTGHo cBtNslgVudO5CAO8xtEUJSkwg7lOgwBHtrstknwTmJCLfzntLBsZ7LFtVgs5c4h3H3Bm Qxmw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y3-v6si7280699pge.41.2018.07.05.22.57.40; Thu, 05 Jul 2018 22:57:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934455AbeGFFv7 (ORCPT + 99 others); Fri, 6 Jul 2018 01:51:59 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33592 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934440AbeGFFvz (ORCPT ); Fri, 6 Jul 2018 01:51:55 -0400 Received: from localhost (D57D388D.static.ziggozakelijk.nl [213.125.56.141]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id CDE2DC8D; Fri, 6 Jul 2018 05:51:54 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jonathan Billings , David Howells , Sasha Levin Subject: [PATCH 4.14 46/61] afs: Fix directory permissions check Date: Fri, 6 Jul 2018 07:47:10 +0200 Message-Id: <20180706054714.105324259@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180706054712.332416244@linuxfoundation.org> References: <20180706054712.332416244@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: David Howells [ Upstream commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 ] Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions check code. Fix this by just removing the BUG section. If no permissions are asked for, just return okay if the file exists. Also: (1) Split up the directory check so that it has separate if-statements rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the check for MAY_READ and MAY_WRITE). (2) Check for MAY_CHDIR as MAY_EXEC. Without the main fix, the following BUG may occur: kernel BUG at fs/afs/security.c:386! invalid opcode: 0000 [#1] SMP PTI ... RIP: 0010:afs_permission+0x19d/0x1a0 [kafs] ... Call Trace: ? inode_permission+0xbe/0x180 ? do_faccessat+0xdc/0x270 ? do_syscall_64+0x60/0x1f0 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 00d3b7a4533e ("[AFS]: Add security support.") Reported-by: Jonathan Billings Signed-off-by: David Howells Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/afs/security.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) --- a/fs/afs/security.c +++ b/fs/afs/security.c @@ -323,18 +323,14 @@ int afs_permission(struct inode *inode, mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); if (S_ISDIR(inode->i_mode)) { - if (mask & MAY_EXEC) { + if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { if (!(access & AFS_ACE_LOOKUP)) goto permission_denied; - } else if (mask & MAY_READ) { - if (!(access & AFS_ACE_LOOKUP)) - goto permission_denied; - } else if (mask & MAY_WRITE) { + } + if (mask & MAY_WRITE) { if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ goto permission_denied; - } else { - BUG(); } } else { if (!(access & AFS_ACE_LOOKUP))