[v3,19/20] orangefs_d_revalidate(): use stable parent inode and name passed by caller

Message ID	20250123014643.1964371-19-viro@zeniv.linux.org.uk (mailing list archive)
State	Handled Elsewhere
Headers	show Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7276135965; Thu, 23 Jan 2025 01:46:47 +0000 (UTC) From: Al Viro <viro@zeniv.linux.org.uk> To: linux-fsdevel@vger.kernel.org Cc: agruenba@redhat.com, amir73il@gmail.com, brauner@kernel.org, ceph-devel@vger.kernel.org, dhowells@redhat.com, hubcap@omnibond.com, jack@suse.cz, krisman@kernel.org, linux-nfs@vger.kernel.org, miklos@szeredi.hu, torvalds@linux-foundation.org Subject: [PATCH v3 19/20] orangefs_d_revalidate(): use stable parent inode and name passed by caller Date: Thu, 23 Jan 2025 01:46:42 +0000 Message-ID: <20250123014643.1964371-19-viro@zeniv.linux.org.uk> In-Reply-To: <20250123014643.1964371-1-viro@zeniv.linux.org.uk> References: <20250123014511.GA1962481@ZenIV> <20250123014643.1964371-1-viro@zeniv.linux.org.uk> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: Al Viro <viro@ftp.linux.org.uk>
Series	[v3,01/20] make sure that DNAME_INLINE_LEN is a multiple of word size \| expand [v3,01/20] make sure that DNAME_INLINE_LEN is a multiple of word size [v3,02/20] dcache: back inline names with a struct-wrapped array of unsigned long [v3,03/20] make take_dentry_name_snapshot() lockless [v3,04/20] dissolve external_name.u into separate members [v3,05/20] ext4 fast_commit: make use of name_snapshot primitives [v3,06/20] generic_ci_d_compare(): use shortname_storage [v3,07/20] Pass parent directory inode and expected name to ->d_revalidate() [v3,08/20] afs_d_revalidate(): use stable name and parent inode passed by caller [v3,09/20] ceph_d_revalidate(): use stable parent inode passed by caller [v3,10/20] ceph_d_revalidate(): propagate stable name down into request encoding [v3,11/20] fscrypt_d_revalidate(): use stable parent inode passed by caller [v3,12/20] exfat_d_revalidate(): use stable parent inode passed by caller [v3,13/20] vfat_revalidate{,_ci}(): use stable parent inode passed by caller [v3,14/20] fuse_dentry_revalidate(): use stable parent inode and name passed by caller [v3,15/20] gfs2_drevalidate(): use stable parent inode and name passed by caller [v3,16/20] nfs{,4}_lookup_validate(): use stable parent inode passed by caller [v3,17/20] nfs: fix ->d_revalidate() UAF on ->d_name accesses [v3,18/20] ocfs2_dentry_revalidate(): use stable parent inode and name passed by caller [v3,19/20] orangefs_d_revalidate(): use stable parent inode and name passed by caller [v3,20/20] 9p: fix ->rename_sem exclusion

Message ID

20250123014643.1964371-19-viro@zeniv.linux.org.uk (mailing list archive)

State

Handled Elsewhere

Headers

From: Al Viro <viro@zeniv.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
Cc: agruenba@redhat.com,
	amir73il@gmail.com,
	brauner@kernel.org,
	ceph-devel@vger.kernel.org,
	dhowells@redhat.com,
	hubcap@omnibond.com,
	jack@suse.cz,
	krisman@kernel.org,
	linux-nfs@vger.kernel.org,
	miklos@szeredi.hu,
	torvalds@linux-foundation.org
Subject: [PATCH v3 19/20] orangefs_d_revalidate(): use stable parent inode and
 name passed by caller
Date: Thu, 23 Jan 2025 01:46:42 +0000
Message-ID: <20250123014643.1964371-19-viro@zeniv.linux.org.uk>
In-Reply-To: <20250123014643.1964371-1-viro@zeniv.linux.org.uk>
References: <20250123014511.GA1962481@ZenIV>
 <20250123014643.1964371-1-viro@zeniv.linux.org.uk>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Al Viro <viro@ftp.linux.org.uk>

Series

[v3,01/20] make sure that DNAME_INLINE_LEN is a multiple of word size | expand

->d_name use is a UAF if the userland side of things can be slowed down by attacker. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> --- fs/orangefs/dcache.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-)

Comments

Mike Marshall Jan. 25, 2025, 4:25 p.m. UTC | #1

Tested-by: Mike Marshall <hubcap@omnibond.com>

On Wed, Jan 22, 2025 at 8:46 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> ->d_name use is a UAF if the userland side of things can be slowed down
> by attacker.
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
>  fs/orangefs/dcache.c | 19 ++++++++-----------
>  1 file changed, 8 insertions(+), 11 deletions(-)
>
> diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c
> index c32c9a86e8d0..a19d1ad705db 100644
> --- a/fs/orangefs/dcache.c
> +++ b/fs/orangefs/dcache.c
> @@ -13,10 +13,9 @@
>  #include "orangefs-kernel.h"
>
>  /* Returns 1 if dentry can still be trusted, else 0. */
> -static int orangefs_revalidate_lookup(struct dentry *dentry)
> +static int orangefs_revalidate_lookup(struct inode *parent_inode, const struct qstr *name,
> +                                     struct dentry *dentry)
>  {
> -       struct dentry *parent_dentry = dget_parent(dentry);
> -       struct inode *parent_inode = parent_dentry->d_inode;
>         struct orangefs_inode_s *parent = ORANGEFS_I(parent_inode);
>         struct inode *inode = dentry->d_inode;
>         struct orangefs_kernel_op_s *new_op;
> @@ -26,14 +25,14 @@ static int orangefs_revalidate_lookup(struct dentry *dentry)
>         gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__);
>
>         new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP);
> -       if (!new_op) {
> -               ret = -ENOMEM;
> -               goto out_put_parent;
> -       }
> +       if (!new_op)
> +               return -ENOMEM;
>
>         new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW;
>         new_op->upcall.req.lookup.parent_refn = parent->refn;
> -       strscpy(new_op->upcall.req.lookup.d_name, dentry->d_name.name);
> +       /* op_alloc() leaves ->upcall zeroed */
> +       memcpy(new_op->upcall.req.lookup.d_name, name->name,
> +                       min(name->len, ORANGEFS_NAME_MAX - 1));
>
>         gossip_debug(GOSSIP_DCACHE_DEBUG,
>                      "%s:%s:%d interrupt flag [%d]\n",
> @@ -78,8 +77,6 @@ static int orangefs_revalidate_lookup(struct dentry *dentry)
>         ret = 1;
>  out_release_op:
>         op_release(new_op);
> -out_put_parent:
> -       dput(parent_dentry);
>         return ret;
>  out_drop:
>         gossip_debug(GOSSIP_DCACHE_DEBUG, "%s:%s:%d revalidate failed\n",
> @@ -115,7 +112,7 @@ static int orangefs_d_revalidate(struct inode *dir, const struct qstr *name,
>          * If this passes, the positive dentry still exists or the negative
>          * dentry still does not exist.
>          */
> -       if (!orangefs_revalidate_lookup(dentry))
> +       if (!orangefs_revalidate_lookup(dir, name, dentry))
>                 return 0;
>
>         /* We do not need to continue with negative dentries. */
> --
> 2.39.5
>

diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c
index c32c9a86e8d0..a19d1ad705db 100644
--- a/fs/orangefs/dcache.c
+++ b/fs/orangefs/dcache.c
@@ -13,10 +13,9 @@ 
 #include "orangefs-kernel.h"
 
 /* Returns 1 if dentry can still be trusted, else 0. */
-static int orangefs_revalidate_lookup(struct dentry *dentry)
+static int orangefs_revalidate_lookup(struct inode *parent_inode, const struct qstr *name,
+				      struct dentry *dentry)
 {
-	struct dentry *parent_dentry = dget_parent(dentry);
-	struct inode *parent_inode = parent_dentry->d_inode;
 	struct orangefs_inode_s *parent = ORANGEFS_I(parent_inode);
 	struct inode *inode = dentry->d_inode;
 	struct orangefs_kernel_op_s *new_op;
@@ -26,14 +25,14 @@  static int orangefs_revalidate_lookup(struct dentry *dentry)
 	gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__);
 
 	new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP);
-	if (!new_op) {
-		ret = -ENOMEM;
-		goto out_put_parent;
-	}
+	if (!new_op)
+		return -ENOMEM;
 
 	new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW;
 	new_op->upcall.req.lookup.parent_refn = parent->refn;
-	strscpy(new_op->upcall.req.lookup.d_name, dentry->d_name.name);
+	/* op_alloc() leaves ->upcall zeroed */
+	memcpy(new_op->upcall.req.lookup.d_name, name->name,
+			min(name->len, ORANGEFS_NAME_MAX - 1));
 
 	gossip_debug(GOSSIP_DCACHE_DEBUG,
 		     "%s:%s:%d interrupt flag [%d]\n",
@@ -78,8 +77,6 @@  static int orangefs_revalidate_lookup(struct dentry *dentry)
 	ret = 1;
 out_release_op:
 	op_release(new_op);
-out_put_parent:
-	dput(parent_dentry);
 	return ret;
 out_drop:
 	gossip_debug(GOSSIP_DCACHE_DEBUG, "%s:%s:%d revalidate failed\n",
@@ -115,7 +112,7 @@  static int orangefs_d_revalidate(struct inode *dir, const struct qstr *name,
 	 * If this passes, the positive dentry still exists or the negative
 	 * dentry still does not exist.
 	 */
-	if (!orangefs_revalidate_lookup(dentry))
+	if (!orangefs_revalidate_lookup(dir, name, dentry))
 		return 0;
 
 	/* We do not need to continue with negative dentries. */

[v3,19/20] orangefs_d_revalidate(): use stable parent inode and name passed by caller

Commit Message

Comments

Patch