Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp820505pxb; Tue, 3 Nov 2020 13:29:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJzLXvn/HcBNbELBHbCcodq/edLeSziblGlslJA6rbeF4t5mW24A4NTtpOqx4BCxQq2JPsiJ X-Received: by 2002:a17:907:2667:: with SMTP id ci7mr17336668ejc.282.1604438941713; Tue, 03 Nov 2020 13:29:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604438941; cv=none; d=google.com; s=arc-20160816; b=qybaw020OEFKQOtHsYIUdDH6HiSYLW6zYcv4wr1vp2GBvHoClnO0zyEObMBXMteVMU mXLwgl7OwI1KF2ukX06qhzmpf0Cm/+pnUQTR6iL1RvTwoMBTYAASJbzREXG9l/gwIHzK nbd+3PbZILIEGJnJtP+swpCJ8e4CQkKQosDk5D24e1/FxM00L6OvkGIoRElkUIjSmHhD hAPLpTTkq3xWQ+aaMVumhp8690Ztub5JTr8x+eWYd8KlSehmPhYzdGU/iDp5ll1eLBpH 41EBp0yaESPv7QIsTyvYV7L7TpuImLij1HJTeNNLQhz0m1yiSP9wFKOB293gsziPS5UO EVyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=eXg89rStMn9pAG6yQ+nUd5Rj85PKxkLB9CPdR/ets34=; b=eBmBuuCrZiin/bohquftj0m5Ow/mvp12d9zCWmQ4U5qNCASCLSG+N0CNuOJRL0pUJ/ tspnTs70NqAI9y4Y4GWKAqpPHuTMghrYfOTAK9np9YF0n8XzVCBcnsPBJiHl6JGVq7+E GIENB3kGxpmxt3lCCvXq2et4rlit9Szvp2aHegpjr2WU4khYTz1LGXkL2Q28+p8/9kRE JohhmN5gTaCE6DGzGsXGA/UXFkTcDdUEe5QTW/fYwE6XqCn/jJEPMlYrcJiOoQHFnhll XBK9qc1laCkJVaeRnfSron2BlpI0DISIHBQC3V8ZZ8zffkJJDhIvvYcUXeAXTnlVxYkh QWMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ir2GkHdF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m25si7462897edp.176.2020.11.03.13.28.38; Tue, 03 Nov 2020 13:29:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Ir2GkHdF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387602AbgKCVCR (ORCPT + 99 others); Tue, 3 Nov 2020 16:02:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:39218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387577AbgKCVCO (ORCPT ); Tue, 3 Nov 2020 16:02:14 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C7B0C206B5; Tue, 3 Nov 2020 21:02:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604437333; bh=VKbr2do/Xb70jJsR2z/OGL/3FZyisH4oRDFQUWCYkn8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ir2GkHdFgEIx5I27Myjaaa689KDiGibqx+lzwKifYxdPwoCMFAs3hsaf9EsPfYRbb 0oYqQKL9CVxmoCEjpNZiS7rv9tnqMiVH17rX/efwZ8M833UALmoJL0nHAGF+r0zot/ oGLVQI+Ncjze0I653aCAB/qJoj6AscDC0xY+cQ9Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , "linux-fscrypt@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, Theodore Tso" , Eric Biggers , Theodore Ts'o Subject: [PATCH 4.19 031/191] fscrypt: fix race allowing rename() and link() of ciphertext dentries Date: Tue, 3 Nov 2020 21:35:23 +0100 Message-Id: <20201103203236.750207039@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203232.656475008@linuxfoundation.org> References: <20201103203232.656475008@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 968dd6d0c6d6b6a989c6ddb9e2584a031b83e7b5 upstream. Close some race conditions where fscrypt allowed rename() and link() on ciphertext dentries that had been looked up just prior to the key being concurrently added. It's better to return -ENOKEY in this case. This avoids doing the nonsensical thing of encrypting the names a second time when searching for the actual on-disk dir entries. It also guarantees that DCACHE_ENCRYPTED_NAME dentries are never rename()d, so the dcache won't have support all possible combinations of moving DCACHE_ENCRYPTED_NAME around during __d_move(). Signed-off-by: Eric Biggers Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman --- fs/crypto/hooks.c | 12 +++++++++++- include/linux/fscrypt.h | 2 +- include/linux/fscrypt_notsupp.h | 4 ++-- include/linux/fscrypt_supp.h | 3 ++- 4 files changed, 16 insertions(+), 5 deletions(-) --- a/fs/crypto/hooks.c +++ b/fs/crypto/hooks.c @@ -49,7 +49,8 @@ int fscrypt_file_open(struct inode *inod } EXPORT_SYMBOL_GPL(fscrypt_file_open); -int __fscrypt_prepare_link(struct inode *inode, struct inode *dir) +int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, + struct dentry *dentry) { int err; @@ -57,6 +58,10 @@ int __fscrypt_prepare_link(struct inode if (err) return err; + /* ... in case we looked up ciphertext name before key was added */ + if (dentry->d_flags & DCACHE_ENCRYPTED_NAME) + return -ENOKEY; + if (!fscrypt_has_permitted_context(dir, inode)) return -EXDEV; @@ -78,6 +83,11 @@ int __fscrypt_prepare_rename(struct inod if (err) return err; + /* ... in case we looked up ciphertext name(s) before key was added */ + if ((old_dentry->d_flags | new_dentry->d_flags) & + DCACHE_ENCRYPTED_NAME) + return -ENOKEY; + if (old_dir != new_dir) { if (IS_ENCRYPTED(new_dir) && !fscrypt_has_permitted_context(new_dir, --- a/include/linux/fscrypt.h +++ b/include/linux/fscrypt.h @@ -97,7 +97,7 @@ static inline int fscrypt_prepare_link(s struct dentry *dentry) { if (IS_ENCRYPTED(dir)) - return __fscrypt_prepare_link(d_inode(old_dentry), dir); + return __fscrypt_prepare_link(d_inode(old_dentry), dir, dentry); return 0; } --- a/include/linux/fscrypt_notsupp.h +++ b/include/linux/fscrypt_notsupp.h @@ -183,8 +183,8 @@ static inline int fscrypt_file_open(stru return 0; } -static inline int __fscrypt_prepare_link(struct inode *inode, - struct inode *dir) +static inline int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, + struct dentry *dentry) { return -EOPNOTSUPP; } --- a/include/linux/fscrypt_supp.h +++ b/include/linux/fscrypt_supp.h @@ -184,7 +184,8 @@ extern int fscrypt_zeroout_range(const s /* hooks.c */ extern int fscrypt_file_open(struct inode *inode, struct file *filp); -extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir); +extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, + struct dentry *dentry); extern int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir,