Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp262229pxb; Thu, 12 Aug 2021 16:01:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJADP7B4qWEJ9cRGPwUz77/+/eyF7pLkNQVuCdBeLLoeed09PDMQNeWBM2bT/LBsYXpeKW X-Received: by 2002:a02:2307:: with SMTP id u7mr5866267jau.28.1628809295472; Thu, 12 Aug 2021 16:01:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628809295; cv=none; d=google.com; s=arc-20160816; b=staimzVqsRJ0fAAr28phlkBDkwRTBpCxxZaEhbz3uHIUOPbJXlJxqTQ2pu8w1+B389 qJdzgcE8UuBMDxZADwNxd3HWcXCFY7+UEBTORrHJiJ+1udsM04cCaqy1qoCLJKCbxiOO gtLVUUVhy117bScKHwCnMMt3s+TsjZa3H9qhJJRrAS3WUyfheIebViS45eN6HPza+lxL 8ip2c5GPurh6fxWVnfo4kTCUgYOF/SV2teandJazwVd/lXtwP/JVM3ZTFYieOjuj62BD +DjwQJLySZJaXg6DMBzZjDsd7lGOT4NNGJZ+cL6X6qwK3sJEznsthVIexNHbtJ8fxTdS lPZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=RP+anI5rM1uv/w6arqGL8uCIBj3EOhKTFutJF5aep60=; b=iyNEOVVXPrzfdB7ktzsP/OPajuzMsZ3qyDE26wYBbCNgq2Mpi/+ME7WfUVDMiV22zT 4JwYergnEUd6Vrdy3bFTOfPabivrx4ezJ5f1AMb/kRtgXJhg2GKEurBLpS+jDsuayTEW kgYbtpheCp9a6B5NvsGbwUY6EB5tMy8rcwKnVd0WfrCdqyb+FMD5SZAVni9gzDPG/c7n a+7p7+TNFNXivpm3P7xenlWmHlys8VZ9Dgv8K9RI3NRBc4Zc9JM+bF09L2Y1tcpUvSpK 8uchkdAWgngZLOTV0kt3v5SbkF5Ak8V+nyj7nYjITftt82Pd2l8mBhLg+VkUr53Igu0n Vo2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k12si4381980ilu.161.2021.08.12.16.01.17; Thu, 12 Aug 2021 16:01:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233260AbhHLVln (ORCPT + 99 others); Thu, 12 Aug 2021 17:41:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229919AbhHLVll (ORCPT ); Thu, 12 Aug 2021 17:41:41 -0400 Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e3e3]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F1F8C061756; Thu, 12 Aug 2021 14:41:15 -0700 (PDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: krisman) with ESMTPSA id 24ACE1F41890 From: Gabriel Krisman Bertazi To: amir73il@gmail.com, jack@suse.com Cc: linux-api@vger.kernel.org, linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org, khazhy@google.com, dhowells@redhat.com, david@fromorbit.com, tytso@mit.edu, djwong@kernel.org, repnop@google.com, Gabriel Krisman Bertazi , kernel@collabora.com Subject: [PATCH v6 12/21] fanotify: Encode invalid file handle when no inode is provided Date: Thu, 12 Aug 2021 17:40:01 -0400 Message-Id: <20210812214010.3197279-13-krisman@collabora.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210812214010.3197279-1-krisman@collabora.com> References: <20210812214010.3197279-1-krisman@collabora.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Instead of failing, encode an invalid file handle in fanotify_encode_fh if no inode is provided. This bogus file handle will be reported by FAN_FS_ERROR for non-inode errors. When being reported to userspace, the length information is actually reset and the handle cleaned up, such that userspace don't have the visibility of the internal kernel representation of this null handle. Also adjust the single caller that might rely on failure after passing an empty inode. Suggested-by: Amir Goldstein Signed-off-by: Gabriel Krisman Bertazi --- Changes since v5: - Preserve flags initialization (jan) - Add BUILD_BUG_ON (amir) - Require minimum of FANOTIFY_NULL_FH_LEN for fh_len(amir) - Improve comment to explain the null FH length (jan) - Simplify logic --- fs/notify/fanotify/fanotify.c | 27 ++++++++++++++++++----- fs/notify/fanotify/fanotify_user.c | 35 +++++++++++++++++------------- 2 files changed, 41 insertions(+), 21 deletions(-) diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index 50fce4fec0d6..2b1ab031fbe5 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -334,6 +334,8 @@ static u32 fanotify_group_event_mask(struct fsnotify_group *group, return test_mask & user_mask; } +#define FANOTIFY_NULL_FH_LEN 4 + /* * Check size needed to encode fanotify_fh. * @@ -345,7 +347,7 @@ static int fanotify_encode_fh_len(struct inode *inode) int dwords = 0; if (!inode) - return 0; + return FANOTIFY_NULL_FH_LEN; exportfs_encode_inode_fh(inode, NULL, &dwords, NULL); @@ -367,11 +369,23 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode, void *buf = fh->buf; int err; - fh->type = FILEID_ROOT; - fh->len = 0; + BUILD_BUG_ON(FANOTIFY_NULL_FH_LEN < 4 || + FANOTIFY_NULL_FH_LEN > FANOTIFY_INLINE_FH_LEN); + fh->flags = 0; - if (!inode) - return 0; + + if (!inode) { + /* + * Invalid FHs are used on FAN_FS_ERROR for errors not + * linked to any inode. The f_handle won't be reported + * back to userspace. The extra bytes are cleared prior + * to reporting. + */ + type = FILEID_INVALID; + fh_len = FANOTIFY_NULL_FH_LEN; + + goto success; + } /* * !gpf means preallocated variable size fh, but fh_len could @@ -400,6 +414,7 @@ static int fanotify_encode_fh(struct fanotify_fh *fh, struct inode *inode, if (!type || type == FILEID_INVALID || fh_len != dwords << 2) goto out_err; +success: fh->type = type; fh->len = fh_len; @@ -529,7 +544,7 @@ static struct fanotify_event *fanotify_alloc_name_event(struct inode *id, struct fanotify_info *info; struct fanotify_fh *dfh, *ffh; unsigned int dir_fh_len = fanotify_encode_fh_len(id); - unsigned int child_fh_len = fanotify_encode_fh_len(child); + unsigned int child_fh_len = child ? fanotify_encode_fh_len(child) : 0; unsigned int size; size = sizeof(*fne) + FANOTIFY_FH_HDR_LEN + dir_fh_len; diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c index c47a5a45c0d3..4cacea5fcaca 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c @@ -360,7 +360,10 @@ static int copy_info_to_user(__kernel_fsid_t *fsid, struct fanotify_fh *fh, return -EFAULT; handle.handle_type = fh->type; - handle.handle_bytes = fh_len; + + /* FILEID_INVALID handle type is reported without its f_handle. */ + if (fh->type != FILEID_INVALID) + handle.handle_bytes = fh_len; if (copy_to_user(buf, &handle, sizeof(handle))) return -EFAULT; @@ -369,20 +372,22 @@ static int copy_info_to_user(__kernel_fsid_t *fsid, struct fanotify_fh *fh, if (WARN_ON_ONCE(len < fh_len)) return -EFAULT; - /* - * For an inline fh and inline file name, copy through stack to exclude - * the copy from usercopy hardening protections. - */ - fh_buf = fanotify_fh_buf(fh); - if (fh_len <= FANOTIFY_INLINE_FH_LEN) { - memcpy(bounce, fh_buf, fh_len); - fh_buf = bounce; + if (fh->type != FILEID_INVALID) { + /* + * For an inline fh and inline file name, copy through + * stack to exclude the copy from usercopy hardening + * protections. + */ + fh_buf = fanotify_fh_buf(fh); + if (fh_len <= FANOTIFY_INLINE_FH_LEN) { + memcpy(bounce, fh_buf, fh_len); + fh_buf = bounce; + } + if (copy_to_user(buf, fh_buf, fh_len)) + return -EFAULT; + buf += fh_len; + len -= fh_len; } - if (copy_to_user(buf, fh_buf, fh_len)) - return -EFAULT; - - buf += fh_len; - len -= fh_len; if (name_len) { /* Copy the filename with terminating null */ @@ -398,7 +403,7 @@ static int copy_info_to_user(__kernel_fsid_t *fsid, struct fanotify_fh *fh, } /* Pad with 0's */ - WARN_ON_ONCE(len < 0 || len >= FANOTIFY_EVENT_ALIGN); + WARN_ON_ONCE(len < 0); if (len > 0 && clear_user(buf, len)) return -EFAULT; -- 2.32.0