Message ID | 153870030069.29072.11055871953561649172.stgit@magnolia (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | fs: fixes for serious clone/dedupe problems | expand |
On Thu, Oct 04, 2018 at 05:45:00PM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@oracle.com> > > Before cloning into a file, update the ctime and remove sensitive > attributes like suid, just like we'd do for a regular file write. > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > --- > fs/xfs/xfs_reflink.c | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) Looks good. Reviewed-by: Dave Chinner <dchinner@redhat.com> Because this fixes a security related problem, I'm going to push this with the data corruption fixes. Cheers, Dave.
> STATIC int > xfs_reflink_remap_prep( > @@ -1302,6 +1303,30 @@ xfs_reflink_remap_prep( > /* Zap any page cache for the destination file's range. */ > truncate_inode_pages_range(&inode_out->i_data, pos_out, > PAGE_ALIGN(pos_out + len) - 1); > + > + /* If we're altering the file contents... */ > + if (!is_dedupe) { Nipick - even a clone might not alter the file content, we just have no guarantee. So maybe change the comment to: /* If we may alter the file contents.. */ Otherwise looks fine: Reviewed-by: Christoph Hellwig <hch@lst.de>
diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c index 55da7e1154f4..d8f209bc8937 100644 --- a/fs/xfs/xfs_reflink.c +++ b/fs/xfs/xfs_reflink.c @@ -1239,6 +1239,7 @@ xfs_reflink_zero_posteof( * Prepare two files for range cloning. Upon a successful return both inodes * will have the iolock and mmaplock held, the page cache of the out file * will be truncated, and any leases on the out file will have been broken. + * This function borrows heavily from xfs_file_aio_write_checks. */ STATIC int xfs_reflink_remap_prep( @@ -1302,6 +1303,30 @@ xfs_reflink_remap_prep( /* Zap any page cache for the destination file's range. */ truncate_inode_pages_range(&inode_out->i_data, pos_out, PAGE_ALIGN(pos_out + len) - 1); + + /* If we're altering the file contents... */ + if (!is_dedupe) { + /* + * ...update the timestamps (which will grab the ilock again + * from xfs_fs_dirty_inode, so we have to call it before we + * take the ilock). + */ + if (!(file_out->f_mode & FMODE_NOCMTIME)) { + ret = file_update_time(file_out); + if (ret) + goto out_unlock; + } + + /* + * ...clear the security bits if the process is not being run + * by root. This keeps people from modifying setuid and setgid + * binaries. + */ + ret = file_remove_privs(file_out); + if (ret) + goto out_unlock; + } + return 0; out_unlock: xfs_reflink_remap_unlock(file_in, file_out);