@@ -40,6 +40,7 @@
#include <linux/vfs.h>
#include <linux/rcupdate.h>
#include <linux/slab.h>
+#include <linux/fs.h>
#include <asm/fpu.h>
#include <asm/io.h>
@@ -117,6 +118,9 @@ osf_filldir(struct dir_context *ctx, const char *name, int namlen,
unsigned int reclen = ALIGN(NAME_OFFSET + namlen + 1, sizeof(u32));
unsigned int d_ino;
+ buf->error = check_dirent_name(name, namlen);
+ if (unlikely(buf->error))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail */
if (reclen > buf->count)
return -EINVAL;
@@ -64,6 +64,26 @@ int iterate_dir(struct file *file, struct dir_context *ctx)
}
EXPORT_SYMBOL(iterate_dir);
+/*
+ * Most filesystems don't filter out bogus directory entry names, and userspace
+ * can get very confused by such names. Behave as if a filesystem error had
+ * happened while reading directory entries.
+ */
+int check_dirent_name(const char *name, int namlen)
+{
+ if (namlen == 0) {
+ pr_err_once("%s: filesystem returned bogus empty name\n",
+ __func__);
+ return -EUCLEAN;
+ }
+ if (memchr(name, '/', namlen)) {
+ pr_err_once("%s: filesystem returned bogus name '%*pEhp' (contains slash)\n",
+ __func__, namlen, name);
+ return -EUCLEAN;
+ }
+ return 0;
+}
+
/*
* Traditional linux readdir() handling..
*
@@ -98,6 +118,9 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
if (buf->result)
return -EINVAL;
+ buf->result = check_dirent_name(name, namlen);
+ if (unlikely(buf->result))
+ return -EUCLEAN;
d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->result = -EOVERFLOW;
@@ -173,6 +196,9 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
sizeof(long));
+ buf->error = check_dirent_name(name, namlen);
+ if (unlikely(buf->error))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -259,6 +285,9 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
sizeof(u64));
+ buf->error = check_dirent_name(name, namlen);
+ if (unlikely(buf->error))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -358,6 +387,9 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
if (buf->result)
return -EINVAL;
+ buf->result = check_dirent_name(name, namlen);
+ if (unlikely(buf->result))
+ return -EUCLEAN;
d_ino = ino;
if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
buf->result = -EOVERFLOW;
@@ -427,6 +459,9 @@ static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
namlen + 2, sizeof(compat_long_t));
+ buf->error = check_dirent_name(name, namlen);
+ if (unlikely(buf->error))
+ return -EUCLEAN;
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
@@ -1730,6 +1730,8 @@ struct dir_context {
loff_t pos;
};
+int check_dirent_name(const char *name, int namlen);
+
struct block_device_operations;
/* These macros are for out of kernel modules to test that
When you e.g. run `find` on a directory for which getdents returns "filenames" that contain slashes, `find` passes those "filenames" back to the kernel, which then interprets them as paths. That could conceivably cause userspace to do something bad when accessing something like an untrusted USB stick, but I'm not aware of any specific example. Instead of returning bogus filenames to userspace, return -EUCLEAN. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn <jannh@google.com> I ordered this fix before the refactoring one so that it can easily be backported. --- Bringing that half-year-old patch back to life... changed in v2: - move bogus_dirent_name() out of the #ifdef (kbuild test robot) changed in v3: - change calling convention (Al Viro) - comment fix arch/alpha/kernel/osf_sys.c | 4 ++++ fs/readdir.c | 35 +++++++++++++++++++++++++++++++++++ include/linux/fs.h | 2 ++ 3 files changed, 41 insertions(+)