22 Sep, 2015
1 commit
-
commit a068acf2ee77693e0bf39d6e07139ba704f461c3 upstream.
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g. new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else. This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use
of "sudo" is something more sneaky:$ BASE="ovl"
$ MNT="$BASE/mnt"
$ LOW="$BASE/lower"
$ UP="$BASE/upper"
$ WORK="$BASE/work/ 0 0
none /proc fuse.pwn user_id=1000"
$ mkdir -p "$LOW" "$UP" "$WORK"
$ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
$ cat /proc/mounts
none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
none /proc fuse.pwn user_id=1000 0 0
$ fusermount -u /proc
$ cat /proc/mounts
cat: /proc/mounts: No such file or directoryThis fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed. Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook
Acked-by: Serge Hallyn
Acked-by: Jan Kara
Acked-by: Paul Moore
Cc: J. R. Okajima
Signed-off-by: Kees Cook
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
04 May, 2015
1 commit
-
S_IFMT is obviously wrong and needs to be 0777.
We're interested in the file mode, not the type.Fixes: b98b91029c (hostfs: No need to box and later unbox the file mode)
Reported-by: Markus Stenberg
Signed-off-by: Richard Weinberger
27 Apr, 2015
1 commit
-
Pull fourth vfs update from Al Viro:
"d_inode() annotations from David Howells (sat in for-next since before
the beginning of merge window) + four assorted fixes"* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
RCU pathwalk breakage when running into a symlink overmounting something
fix I_DIO_WAKEUP definition
direct-io: only inc/dec inode->i_dio_count for file systems
fs/9p: fix readdir()
VFS: assorted d_backing_inode() annotations
VFS: fs/inode.c helpers: d_inode() annotations
VFS: fs/cachefiles: d_backing_inode() annotations
VFS: fs library helpers: d_inode() annotations
VFS: assorted weird filesystems: d_inode() annotations
VFS: normal filesystems (and lustre): d_inode() annotations
VFS: security/: d_inode() annotations
VFS: security/: d_backing_inode() annotations
VFS: net/: d_inode() annotations
VFS: net/unix: d_backing_inode() annotations
VFS: kernel/: d_inode() annotations
VFS: audit: d_backing_inode() annotations
VFS: Fix up some ->d_inode accesses in the chelsio driver
VFS: Cachefiles should perform fs modifications on the top layer only
VFS: AF_UNIX sockets should call mknod on the top layer only
16 Apr, 2015
2 commits
-
Pull UML updates from Richard Weinberger:
- hostfs saw a face lifting
- old/broken stuff was removed (SMP, HIGHMEM, SKAS3/4)
- random cleanups and bug fixes* tag 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: (26 commits)
um: Print minimum physical memory requirement
um: Move uml_postsetup in the init_thread stack
um: add a kmsg_dumper
x86, UML: fix integer overflow in ELF_ET_DYN_BASE
um: hostfs: Reduce number of syscalls in readdir
um: Remove broken highmem support
um: Remove broken SMP support
um: Remove SKAS3/4 support
um: Remove ppc cruft
um: Remove ia64 cruft
um: Remove dead code from stacktrace
hostfs: No need to box and later unbox the file mode
hostfs: Use page_offset()
hostfs: Set page flags in hostfs_readpage() correctly
hostfs: Remove superfluous initializations in hostfs_open()
hostfs: hostfs_open: Reset open flags upon each retry
hostfs: Remove superfluous test in hostfs_open()
hostfs: Report append flag in ->show_options()
hostfs: Use __getname() in follow_link
hostfs: Remove open coded strcpy()
... -
that's the bulk of filesystem drivers dealing with inodes of their own
Signed-off-by: David Howells
Signed-off-by: Al Viro
14 Apr, 2015
1 commit
-
Currently hostfs issues every time a seekdir(), in fact
it has to do this only upon the first call.
Also telldir() can be omitted as we can obtain the directory
offset from readdir().Signed-off-by: Richard Weinberger
12 Apr, 2015
1 commit
-
All places outside of core VFS that checked ->read and ->write for being NULL or
called the methods directly are gone now, so NULL {read,write} with non-NULL
{read,write}_iter will do the right thing in all cases.Signed-off-by: Al Viro
27 Mar, 2015
15 commits
-
There is really no point in having a function with 10
arguments.Reported-by: Daniel Walter
Signed-off-by: Richard Weinberger -
The kernel offers a helper function for that, use it.
Signed-off-by: Richard Weinberger
-
In case of an error set the page error flag and clear the up-to-date
flag.
If the read was successful clear the error flag unconditionally.Signed-off-by: Richard Weinberger
-
Only initialize what we really need.
Signed-off-by: Richard Weinberger
-
...otherwise we might end up with an incorrect mode mode.
Signed-off-by: Richard Weinberger
-
Signed-off-by: Richard Weinberger
-
hostfs has an "append" mount option. Report it.
Signed-off-by: Richard Weinberger
-
Be consistent with all other functions in hostfs and just
use __getname().Signed-off-by: Richard Weinberger
-
Signed-off-by: Richard Weinberger
-
hostfs' __dentry_name() relies on the fact that dentry_path_raw() will place
the path name at the end of the provided buffer.
While this is okay, add a BUG_ON() to detect behavior changes as soon
as possible.Signed-off-by: Richard Weinberger
-
...to make life easier for future readers of that code.
Signed-off-by: Richard Weinberger
-
Make sure that we return EIO if one passes an invalid st.mode
into hostfs.Signed-off-by: Richard Weinberger
-
Historically hostfs did not open directories on the host filesystem
for performance and memory reasons.
But it turned out that this optimization has a drawback.
Calling fsync() on a hostfs directory returns immediately
with -EINVAL as fsync is not implemented.
While this is behavior is strictly speaking correct common userspace
like dpkg(1) stumbles over that and makes it impossible to use
hostfs as root filesystem.
The fix is easy, wire up the existing host open/fsync functions
to the directory file operations.Reported-by: Daniel Gröber
Signed-off-by: Richard Weinberger -
In case of a race between to callers of hostfs_file_open()
it can happen that a file describtor is leaked.Signed-off-by: Richard Weinberger
-
Instead of serializing hostfs_file_open() we can use
a per inode mutex to protect ->mode.Signed-off-by: Richard Weinberger
08 Aug, 2014
1 commit
-
Support RENAME_NOREPLACE and RENAME_EXCHANGE flags on hostfs if the
underlying filesystem supports it.Since renameat2(2) is not yet in any libc, use syscall(2) to invoke the
renameat2 syscall.Signed-off-by: Miklos Szeredi
Cc: Richard Weinberger
Signed-off-by: Christoph Hellwig
Signed-off-by: Al Viro
07 May, 2014
2 commits
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
04 Apr, 2014
1 commit
-
Reclaim will be leaving shadow entries in the page cache radix tree upon
evicting the real page. As those pages are found from the LRU, an
iput() can lead to the inode being freed concurrently. At this point,
reclaim must no longer install shadow pages because the inode freeing
code needs to ensure the page tree is really empty.Add an address_space flag, AS_EXITING, that the inode freeing code sets
under the tree lock before doing the final truncate. Reclaim will check
for this flag before installing shadow pages.Signed-off-by: Johannes Weiner
Reviewed-by: Rik van Riel
Reviewed-by: Minchan Kim
Cc: Andrea Arcangeli
Cc: Bob Liu
Cc: Christoph Hellwig
Cc: Dave Chinner
Cc: Greg Thelen
Cc: Hugh Dickins
Cc: Jan Kara
Cc: KOSAKI Motohiro
Cc: Luigi Semenzato
Cc: Mel Gorman
Cc: Metin Doslu
Cc: Michel Lespinasse
Cc: Ozgun Erdogan
Cc: Peter Zijlstra
Cc: Roman Gushchin
Cc: Ryan Mallon
Cc: Tejun Heo
Cc: Vlastimil Babka
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
26 Jan, 2014
1 commit
-
The hostfs_*() callback functions are all only used within
hostfs_kern.c, so make them static.Signed-off-by: James Hogan
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: Richard Weinberger
16 Nov, 2013
1 commit
-
Rename simple_delete_dentry() to always_delete_dentry() and export it.
Export simple_dentry_operations, while we are at it, and get rid of
their duplicatesSigned-off-by: Al Viro
07 Sep, 2013
1 commit
-
We have to implement ->release() and trigger writeback from it.
Otherwise we might lose dirty pages at munmap().Signed-off-by: Richard Weinberger
29 Jun, 2013
1 commit
-
Signed-off-by: Al Viro
05 May, 2013
3 commits
-
The inode info structure is zeroed at allocation with kzalloc, and then
all but one of the fields (including the largest, vfs_inode) are
initialised explicitly. Switch to using kmalloc and initialise the
remaining field too.Reported-by: Al Viro
Signed-off-by: James Hogan
Signed-off-by: Al Viro -
Move HOSTFS_SUPER_MAGIC to to be with it's magical
friends from other file systems.Reported-by: Al Viro
Signed-off-by: James Hogan
Signed-off-by: Al Viro -
A "will unlock" comment was added to hostfs in the following commit,
along with a spinlock:Commit e9193059b1b3733695d5b80e667778311695aa73 ("hostfs: fix races in
dentry_name() and inode_name()").But the spinlock was subsequently removed in the following commit:
Commit ec2447c278ee973d35f38e53ca16ba7f965ae33d ("hostfs: simplify
locking").Since the comment is no longer applicable, remove it.
Reported-by: Al Viro
Signed-off-by: James Hogan
Cc: Nick Piggin
Signed-off-by: Al Viro
14 Mar, 2013
1 commit
-
Pull namespace bugfixes from Eric Biederman:
"This tree includes a partial revert for "fs: Limit sys_mount to only
request filesystem modules." When I added the new style module aliases
to the filesystems I deleted the old ones. A bad move. It turns out
that distributions like Arch linux use module aliases when
constructing ramdisks. Which meant ultimately that an ext3 filesystem
mounted with ext4 would not result in the ext4 module being put into
the ramdisk.The other change in this tree adds a handful of filesystem module
alias I simply failed to add the first time. Which inconvinienced a
few folks using cifs.I don't want to inconvinience folks any longer than I have to so here
are these trivial fixes."* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
fs: Readd the fs module aliases.
fs: Limit sys_mount to only request filesystem modules. (Part 3)
11 Mar, 2013
2 commits
-
Somehow I failed to add the MODULE_ALIAS_FS for cifs, hostfs, hpfs,
squashfs, and udf despite what I thought were my careful checks :(Add them now.
Signed-off-by: "Eric W. Biederman"
-
With the commit 3be2be0a32c18b0fd6d623cda63174a332ca0de1 we removed vmtruncate,
but actaully there is no need to call inode_newsize_ok() because the checks are
already done in inode_change_ok() at the begin of the function.Signed-off-by: Marco Stornelli
Signed-off-by: Richard Weinberger
23 Feb, 2013
2 commits
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
10 Oct, 2012
2 commits
-
Pull UML changes from Richard Weinberger:
"UML receives this time only cleanups.The most outstanding change is the 'include "foo.h"' do 'include
' conversion done by Al Viro.It touches many files, that's why the diffstat is rather big."
* 'for-linus-37rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
typo in UserModeLinux-HOWTO
hppfs: fix the return value of get_inode()
hostfs: drop vmtruncate
um: get rid of pointless include "..." where include will do
um: move sysrq.h out of include/shared
um/x86: merge 32 and 64 bit variants of ptrace.h
um/x86: merge 32 and 64bit variants of checksum.h -
Removed vmtruncate.
Signed-off-by: Marco Stornelli
Signed-off-by: Richard Weinberger