Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp1429983ybc; Tue, 19 Nov 2019 21:12:29 -0800 (PST) X-Google-Smtp-Source: APXvYqwA8+rZ0kPQe3FQCJwaNrF3I/a+TFQs07mEEx2eu/QcF80GuWqX2LT8YXy3myR/hts7qXn+ X-Received: by 2002:a17:906:bc9:: with SMTP id y9mr2578673ejg.64.1574226749791; Tue, 19 Nov 2019 21:12:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574226749; cv=none; d=google.com; s=arc-20160816; b=FmCm4ivU6FLQ8u6hcNgB2Q0xoaA0nSAj/a2pYhFo4fyHY0bmxuT+YQ8Zvx9yXAZWz/ hbkd6++Ye+Sr5Wru6SUjEml3ohlFa5FOv/zbePh/2wG8cu8o8I2WQnjx+Jq6wDPpZdBU haG4SCcyR86CDx2JR+RGTBTjMzfa8Neaq1kX/65Z+HZTj4TJ8C5zbBDBGws3qpjKyLCb BqqzlvKo2Q5cMjZ0qfyjtFuyGyECQE4NNkqG/vwkvjjnz5G5SzC5KimFTSrvQJZ9cduL QIE7T6RxnN+QPPAIUp1qqGdGkbgnfTOorBULZUgItZvjC4qiYWcLHaPXi35iO5aWDuCy e8GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=192sqjhsUd5FPfgWh8F/m1e+nISD9fTLQOsk2DSWPtY=; b=pLaVtGOGITgEg/LBTrlkxm75MyGkZIQCXBwFWWK8YzmkWnKU+IUTrix0VzjX0wytm/ KxKGAXufRN9jTpW8dWwk6SKcIawsPjEFleMN3CMBLdXdKECCQLj8G+WfPfL8DszE/Tg6 /tXRL/TB+snE5fCuMEl3r1Vi8SkvxUI8U+rN33/D9wPFb5PjNs/nyTi53XSOBJQ43OA8 KRIaTl9GfMrVdhOP5Cz+lPt+2ynGCPG2uVBlm5nxKujjxZhuMQvqBzPYUM5OgGk5n0dT CsYeTOfPcGqLPUR3WqJhJzEwwr9C1UzEdcIAz0yD8FmDu3Fuf3xuLfhIPwHOdBynQptm w82Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u19si14805826ejx.150.2019.11.19.21.12.02; Tue, 19 Nov 2019 21:12:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727582AbfKTFJa (ORCPT + 99 others); Wed, 20 Nov 2019 00:09:30 -0500 Received: from mout-p-101.mailbox.org ([80.241.56.151]:11830 "EHLO mout-p-101.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726532AbfKTFJ3 (ORCPT ); Wed, 20 Nov 2019 00:09:29 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 47HrMm68hmzKmgn; Wed, 20 Nov 2019 06:09:24 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id toiPjQCr1EsS; Wed, 20 Nov 2019 06:09:21 +0100 (CET) From: Aleksa Sarai To: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Ingo Molnar , Peter Zijlstra , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , Jonathan Corbet Cc: Aleksa Sarai , Eric Biederman , Andy Lutomirski , Andrew Morton , Kees Cook , Jann Horn , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Rasmus Villemoes , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Christian Brauner , Aleksa Sarai , Linus Torvalds , dev@opencontainers.org, containers@lists.linux-foundation.org, bpf@vger.kernel.org, netdev@vger.kernel.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, libc-alpha@sourceware.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org Subject: [PATCH RESEND v17 04/13] namei: allow set_root() to produce errors Date: Wed, 20 Nov 2019 16:06:22 +1100 Message-Id: <20191120050631.12816-5-cyphar@cyphar.com> In-Reply-To: <20191120050631.12816-1-cyphar@cyphar.com> References: <20191120050631.12816-1-cyphar@cyphar.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org For LOOKUP_BENEATH and LOOKUP_IN_ROOT it is necessary to ensure that set_root() is never called, and thus (for hardening purposes) it should return an error rather than permit a breakout from the root. In addition, move all of the repetitive set_root() calls to nd_jump_root(). Signed-off-by: Aleksa Sarai --- fs/namei.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 1024a641f075..74574a69a614 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -798,7 +798,7 @@ static int complete_walk(struct nameidata *nd) return status; } -static void set_root(struct nameidata *nd) +static int set_root(struct nameidata *nd) { struct fs_struct *fs = current->fs; @@ -814,6 +814,7 @@ static void set_root(struct nameidata *nd) get_fs_root(fs, &nd->root); nd->flags |= LOOKUP_ROOT_GRABBED; } + return 0; } static void path_put_conditional(struct path *path, struct nameidata *nd) @@ -837,6 +838,11 @@ static inline void path_to_nameidata(const struct path *path, static int nd_jump_root(struct nameidata *nd) { + if (!nd->root.mnt) { + int error = set_root(nd); + if (error) + return error; + } if (nd->flags & LOOKUP_RCU) { struct dentry *d; nd->path = nd->root; @@ -1080,10 +1086,9 @@ const char *get_link(struct nameidata *nd) return res; } if (*res == '/') { - if (!nd->root.mnt) - set_root(nd); - if (unlikely(nd_jump_root(nd))) - return ERR_PTR(-ECHILD); + error = nd_jump_root(nd); + if (unlikely(error)) + return ERR_PTR(error); while (unlikely(*++res == '/')) ; } @@ -1698,8 +1703,13 @@ static inline int may_lookup(struct nameidata *nd) static inline int handle_dots(struct nameidata *nd, int type) { if (type == LAST_DOTDOT) { - if (!nd->root.mnt) - set_root(nd); + int error = 0; + + if (!nd->root.mnt) { + error = set_root(nd); + if (error) + return error; + } if (nd->flags & LOOKUP_RCU) { return follow_dotdot_rcu(nd); } else @@ -2162,6 +2172,7 @@ static int link_path_walk(const char *name, struct nameidata *nd) /* must be paired with terminate_walk() */ static const char *path_init(struct nameidata *nd, unsigned flags) { + int error; const char *s = nd->name->name; if (!*s) @@ -2194,11 +2205,13 @@ static const char *path_init(struct nameidata *nd, unsigned flags) nd->path.dentry = NULL; nd->m_seq = read_seqbegin(&mount_lock); + + /* Figure out the starting path and root (if needed). */ if (*s == '/') { - set_root(nd); - if (likely(!nd_jump_root(nd))) - return s; - return ERR_PTR(-ECHILD); + error = nd_jump_root(nd); + if (unlikely(error)) + return ERR_PTR(error); + return s; } else if (nd->dfd == AT_FDCWD) { if (flags & LOOKUP_RCU) { struct fs_struct *fs = current->fs; -- 2.24.0