Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3476250imu; Sun, 11 Nov 2018 15:59:48 -0800 (PST) X-Google-Smtp-Source: AJdET5c1p6ErlRRMYtQguG7HEYo1wMVPLDt+3/NUuhX0ZkkRAG1k1sKYRMof/SizaeOdesIUfJ1f X-Received: by 2002:a17:902:3041:: with SMTP id u59-v6mr18263507plb.265.1541980788219; Sun, 11 Nov 2018 15:59:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541980788; cv=none; d=google.com; s=arc-20160816; b=0fl70DY/LR4WVa92W0+lhRrZGdEiMHB6ajjftXEPlKqRJr56O/MgAsgMjn/+tD5AT8 SGsvl5R7v2f8p2kZ/BrMy41KApskN6sUVGkuNClw8EDblHNW+aL8UP3hPJSrJFP6eySk m5Dhli4U8TUs2cKI/JWkyK8b5oJJ5dgVC24U5stdqZgiZC9kukn1HF49/+ZSYhqsWKSB IdeJ3M7E4bQK8+svsphsRuekOZbYBnyyLcSyjVdGFgtrTi5uotb1KYFjT2GE+mVc8JgO U9iV5K73qudvCYzzfmLeOHgVsJ6XRlpzAuRy/xdLgU0G4RsAW57WD1Nk9ribhfrPNGa9 HwOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=B6JYpfZOXfOP3kqrp01dBSg15arOFim6nYFiUYWNwPA=; b=Bmu2B2isg/SI0ykD8leLvgWbipD1Zb3O1KnV0t5eCBtcE0A5QvHs0sCSl2kmwD4QA8 dOGuh0E0mViZuR9KPnaUgK1ngLHnNzVA8QUXevFlizPXobC2aoCuSd2OV3ECfJEfbVks pbLG9lP8yS7/9Bfz7Y3HueagY5Gk1gjCQsgOo2t5d4YjsAG+hpMrj57mEo8KGXBtzZ0x 3yZgcKrB5sMXX2dt88Mfv5zeoHb8SGYHTefHMkla5urTqpwtECKYMxk0GFX5QFI+G6Ch jFVoNMXcTeQnH18+F65xypU8vVpZB+ftt855Xn7F10RcV78d1Pa4BTN61K3pF/NCiTzz pw3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MNuVL8yU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b24si4648086pgi.308.2018.11.11.15.59.33; Sun, 11 Nov 2018 15:59:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MNuVL8yU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732685AbeKLJtg (ORCPT + 99 others); Mon, 12 Nov 2018 04:49:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:35336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732386AbeKLISF (ORCPT ); Mon, 12 Nov 2018 03:18:05 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C4C8422506; Sun, 11 Nov 2018 22:28:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975289; bh=9z/cI48I7hIqSuPyEVpd3EsR9sU+oFpDUlsrz6BMzvw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MNuVL8yUW+NQhqSuMMzEwqUQsjWHAKq0fI8lo8slYvlUaRGTEdtDOHbPAkN7eey2E DQ8Q7ZjQ+YFGf3IMJbxBpeUGwDIxQBR/04vt/owJCpKm95gsAaPNd4pfWVEuEnMg+L kcJaa5U0XxYirJoYxtaZ2odN7CCfkezPh6zi31bk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wang Shilong , Theodore Tso , Andreas Dilger , stable@kernel.org Subject: [PATCH 4.19 228/361] ext4: fix setattr project check in fssetxattr ioctl Date: Sun, 11 Nov 2018 14:19:35 -0800 Message-Id: <20181111221651.272819251@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221619.915519183@linuxfoundation.org> References: <20181111221619.915519183@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Wang Shilong commit dc7ac6c4cae3b58724c2f1e21a7c05ce19ecd5a8 upstream. Currently, project quota could be changed by fssetxattr ioctl, and existed permission check inode_owner_or_capable() is obviously not enough, just think that common users could change project id of file, that could make users to break project quota easily. This patch try to follow same regular of xfs project quota: "Project Quota ID state is only allowed to change from within the init namespace. Enforce that restriction only if we are trying to change the quota ID state. Everything else is allowed in user namespaces." Besides that, check and set project id'state should be an atomic operation, protect whole operation with inode lock, ext4_ioctl_setproject() is only used for ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file() before ext4_ioctl_setflags(), and ext4_ioctl_setproject() is called after ext4_ioctl_setflags(), we could share codes, so remove it inside ext4_ioctl_setproject(). Signed-off-by: Wang Shilong Signed-off-by: Theodore Ts'o Reviewed-by: Andreas Dilger Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/ioctl.c | 60 ++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 23 deletions(-) --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -360,19 +360,14 @@ static int ext4_ioctl_setproject(struct if (projid_eq(kprojid, EXT4_I(inode)->i_projid)) return 0; - err = mnt_want_write_file(filp); - if (err) - return err; - err = -EPERM; - inode_lock(inode); /* Is it quota file? Do not allow user to mess with it */ if (ext4_is_quota_file(inode)) - goto out_unlock; + return err; err = ext4_get_inode_loc(inode, &iloc); if (err) - goto out_unlock; + return err; raw_inode = ext4_raw_inode(&iloc); if (!EXT4_FITS_IN_INODE(raw_inode, ei, i_projid)) { @@ -380,7 +375,7 @@ static int ext4_ioctl_setproject(struct EXT4_SB(sb)->s_want_extra_isize, &iloc); if (err) - goto out_unlock; + return err; } else { brelse(iloc.bh); } @@ -390,10 +385,8 @@ static int ext4_ioctl_setproject(struct handle = ext4_journal_start(inode, EXT4_HT_QUOTA, EXT4_QUOTA_INIT_BLOCKS(sb) + EXT4_QUOTA_DEL_BLOCKS(sb) + 3); - if (IS_ERR(handle)) { - err = PTR_ERR(handle); - goto out_unlock; - } + if (IS_ERR(handle)) + return PTR_ERR(handle); err = ext4_reserve_inode_write(handle, inode, &iloc); if (err) @@ -421,9 +414,6 @@ out_dirty: err = rc; out_stop: ext4_journal_stop(handle); -out_unlock: - inode_unlock(inode); - mnt_drop_write_file(filp); return err; } #else @@ -647,6 +637,30 @@ group_add_out: return err; } +static int ext4_ioctl_check_project(struct inode *inode, struct fsxattr *fa) +{ + /* + * Project Quota ID state is only allowed to change from within the init + * namespace. Enforce that restriction only if we are trying to change + * the quota ID state. Everything else is allowed in user namespaces. + */ + if (current_user_ns() == &init_user_ns) + return 0; + + if (__kprojid_val(EXT4_I(inode)->i_projid) != fa->fsx_projid) + return -EINVAL; + + if (ext4_test_inode_flag(inode, EXT4_INODE_PROJINHERIT)) { + if (!(fa->fsx_xflags & FS_XFLAG_PROJINHERIT)) + return -EINVAL; + } else { + if (fa->fsx_xflags & FS_XFLAG_PROJINHERIT) + return -EINVAL; + } + + return 0; +} + long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { struct inode *inode = file_inode(filp); @@ -1046,19 +1060,19 @@ resizefs_out: return err; inode_lock(inode); + err = ext4_ioctl_check_project(inode, &fa); + if (err) + goto out; flags = (ei->i_flags & ~EXT4_FL_XFLAG_VISIBLE) | (flags & EXT4_FL_XFLAG_VISIBLE); err = ext4_ioctl_setflags(inode, flags); - inode_unlock(inode); - mnt_drop_write_file(filp); if (err) - return err; - + goto out; err = ext4_ioctl_setproject(filp, fa.fsx_projid); - if (err) - return err; - - return 0; +out: + inode_unlock(inode); + mnt_drop_write_file(filp); + return err; } case EXT4_IOC_SHUTDOWN: return ext4_shutdown(sb, arg);