linux.git/fs/hostfs, branch v4.1.10 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git fs: create and use seq_show_option for escaping 2015-09-21T17:05:45+00:00 Kees Cook keescook@chromium.org 2015-09-04T22:44:57+00:00 d3b428f0361d6dcbe7c6665ae0a824517a0b1ca9 commit a068acf2ee77693e0bf39d6e07139ba704f461c3 upstream. Many file systems that implement the show_options hook fail to correctly escape their output which could lead to unescaped characters (e.g. new lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This could lead to confusion, spoofed entries (resulting in things like systemd issuing false d-bus "mount" notifications), and who knows what else. This looks like it would only be the root user stepping on themselves, but it's possible weird things could happen in containers or in other situations with delegated mount privileges. Here's an example using overlay with setuid fusermount trusting the contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use of "sudo" is something more sneaky: $ BASE="ovl" $ MNT="$BASE/mnt" $ LOW="$BASE/lower" $ UP="$BASE/upper" $ WORK="$BASE/work/ 0 0 none /proc fuse.pwn user_id=1000" $ mkdir -p "$LOW" "$UP" "$WORK" $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt $ cat /proc/mounts none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0 none /proc fuse.pwn user_id=1000 0 0 $ fusermount -u /proc $ cat /proc/mounts cat: /proc/mounts: No such file or directory This fixes the problem by adding new seq_show_option and seq_show_option_n helpers, and updating the vulnerable show_option handlers to use them as needed. Some, like SELinux, need to be open coded due to unusual existing escape mechanisms. [akpm@linux-foundation.org: add lost chunk, per Kees] [keescook@chromium.org: seq_show_option should be using const parameters] Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Jan Kara <jack@suse.com> Acked-by: Paul Moore <paul@paul-moore.com> Cc: J. R. Okajima <hooanon05g@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit a068acf2ee77693e0bf39d6e07139ba704f461c3 upstream.

Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g.  new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files.  This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else.  This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.

Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink).  Imagine the use
of "sudo" is something more sneaky:

  $ BASE="ovl"
  $ MNT="$BASE/mnt"
  $ LOW="$BASE/lower"
  $ UP="$BASE/upper"
  $ WORK="$BASE/work/ 0 0
  none /proc fuse.pwn user_id=1000"
  $ mkdir -p "$LOW" "$UP" "$WORK"
  $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
  $ cat /proc/mounts
  none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
  none /proc fuse.pwn user_id=1000 0 0
  $ fusermount -u /proc
  $ cat /proc/mounts
  cat: /proc/mounts: No such file or directory

This fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed.  Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.

[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Jan Kara <jack@suse.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: J. R. Okajima <hooanon05g@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
hostfs: Use correct mask for file mode 2015-05-04T12:50:29+00:00 Richard Weinberger richard@nod.at 2015-05-04T12:50:29+00:00 a718c92219b35e8a75175fde85c4566ac5730273 S_IFMT is obviously wrong and needs to be 0777. We're interested in the file mode, not the type. Fixes: b98b91029c (hostfs: No need to box and later unbox the file mode) Reported-by: Markus Stenberg <markus.stenberg@iki.fi> Signed-off-by: Richard Weinberger <richard@nod.at> 
S_IFMT is obviously wrong and needs to be 0777.
We're interested in the file mode, not the type.

Fixes: b98b91029c (hostfs: No need to box and later unbox the file mode)
Reported-by: Markus Stenberg <markus.stenberg@iki.fi>
Signed-off-by: Richard Weinberger <richard@nod.at>
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-04-27T00:22:07+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-04-26T22:48:49+00:00 9ec3a646fe09970f801ab15e0f1694060b9f19af Pull fourth vfs update from Al Viro: "d_inode() annotations from David Howells (sat in for-next since before the beginning of merge window) + four assorted fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: RCU pathwalk breakage when running into a symlink overmounting something fix I_DIO_WAKEUP definition direct-io: only inc/dec inode->i_dio_count for file systems fs/9p: fix readdir() VFS: assorted d_backing_inode() annotations VFS: fs/inode.c helpers: d_inode() annotations VFS: fs/cachefiles: d_backing_inode() annotations VFS: fs library helpers: d_inode() annotations VFS: assorted weird filesystems: d_inode() annotations VFS: normal filesystems (and lustre): d_inode() annotations VFS: security/: d_inode() annotations VFS: security/: d_backing_inode() annotations VFS: net/: d_inode() annotations VFS: net/unix: d_backing_inode() annotations VFS: kernel/: d_inode() annotations VFS: audit: d_backing_inode() annotations VFS: Fix up some ->d_inode accesses in the chelsio driver VFS: Cachefiles should perform fs modifications on the top layer only VFS: AF_UNIX sockets should call mknod on the top layer only 
Pull fourth vfs update from Al Viro:
 "d_inode() annotations from David Howells (sat in for-next since before
  the beginning of merge window) + four assorted fixes"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  RCU pathwalk breakage when running into a symlink overmounting something
  fix I_DIO_WAKEUP definition
  direct-io: only inc/dec inode->i_dio_count for file systems
  fs/9p: fix readdir()
  VFS: assorted d_backing_inode() annotations
  VFS: fs/inode.c helpers: d_inode() annotations
  VFS: fs/cachefiles: d_backing_inode() annotations
  VFS: fs library helpers: d_inode() annotations
  VFS: assorted weird filesystems: d_inode() annotations
  VFS: normal filesystems (and lustre): d_inode() annotations
  VFS: security/: d_inode() annotations
  VFS: security/: d_backing_inode() annotations
  VFS: net/: d_inode() annotations
  VFS: net/unix: d_backing_inode() annotations
  VFS: kernel/: d_inode() annotations
  VFS: audit: d_backing_inode() annotations
  VFS: Fix up some ->d_inode accesses in the chelsio driver
  VFS: Cachefiles should perform fs modifications on the top layer only
  VFS: AF_UNIX sockets should call mknod on the top layer only
Merge tag 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml 2015-04-15T20:49:27+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-04-15T20:49:27+00:00 e44740c1a94b5d39b093045920f543a7bc135584 Pull UML updates from Richard Weinberger: - hostfs saw a face lifting - old/broken stuff was removed (SMP, HIGHMEM, SKAS3/4) - random cleanups and bug fixes * tag 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: (26 commits) um: Print minimum physical memory requirement um: Move uml_postsetup in the init_thread stack um: add a kmsg_dumper x86, UML: fix integer overflow in ELF_ET_DYN_BASE um: hostfs: Reduce number of syscalls in readdir um: Remove broken highmem support um: Remove broken SMP support um: Remove SKAS3/4 support um: Remove ppc cruft um: Remove ia64 cruft um: Remove dead code from stacktrace hostfs: No need to box and later unbox the file mode hostfs: Use page_offset() hostfs: Set page flags in hostfs_readpage() correctly hostfs: Remove superfluous initializations in hostfs_open() hostfs: hostfs_open: Reset open flags upon each retry hostfs: Remove superfluous test in hostfs_open() hostfs: Report append flag in ->show_options() hostfs: Use __getname() in follow_link hostfs: Remove open coded strcpy() ... 
Pull UML updates from Richard Weinberger:
 - hostfs saw a face lifting
 - old/broken stuff was removed (SMP, HIGHMEM, SKAS3/4)
 - random cleanups and bug fixes

* tag 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: (26 commits)
  um: Print minimum physical memory requirement
  um: Move uml_postsetup in the init_thread stack
  um: add a kmsg_dumper
  x86, UML: fix integer overflow in ELF_ET_DYN_BASE
  um: hostfs: Reduce number of syscalls in readdir
  um: Remove broken highmem support
  um: Remove broken SMP support
  um: Remove SKAS3/4 support
  um: Remove ppc cruft
  um: Remove ia64 cruft
  um: Remove dead code from stacktrace
  hostfs: No need to box and later unbox the file mode
  hostfs: Use page_offset()
  hostfs: Set page flags in hostfs_readpage() correctly
  hostfs: Remove superfluous initializations in hostfs_open()
  hostfs: hostfs_open: Reset open flags upon each retry
  hostfs: Remove superfluous test in hostfs_open()
  hostfs: Report append flag in ->show_options()
  hostfs: Use __getname() in follow_link
  hostfs: Remove open coded strcpy()
  ...
VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15T19:06:57+00:00 David Howells dhowells@redhat.com 2015-03-17T22:25:59+00:00 2b0143b5c986be1ce8408b3aadc4709e0a94429d that's the bulk of filesystem drivers dealing with inodes of their own Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
that's the bulk of filesystem drivers dealing with inodes of their own

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
um: hostfs: Reduce number of syscalls in readdir 2015-04-13T19:01:07+00:00 Richard Weinberger richard@nod.at 2015-03-24T14:47:38+00:00 0c9bd6365d0b278728359843b8303047ddedb831 Currently hostfs issues every time a seekdir(), in fact it has to do this only upon the first call. Also telldir() can be omitted as we can obtain the directory offset from readdir(). Signed-off-by: Richard Weinberger <richard@nod.at> 
Currently hostfs issues every time a seekdir(), in fact
it has to do this only upon the first call.
Also telldir() can be omitted as we can obtain the directory
offset from readdir().

Signed-off-by: Richard Weinberger <richard@nod.at>
make new_sync_{read,write}() static 2015-04-12T02:29:40+00:00 Al Viro viro@zeniv.linux.org.uk 2015-04-03T19:41:18+00:00 5d5d568975307877e9195f5305f4240e506a2807 All places outside of core VFS that checked ->read and ->write for being NULL or called the methods directly are gone now, so NULL {read,write} with non-NULL {read,write}_iter will do the right thing in all cases. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
All places outside of core VFS that checked ->read and ->write for being NULL or
called the methods directly are gone now, so NULL {read,write} with non-NULL
{read,write}_iter will do the right thing in all cases.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
hostfs: No need to box and later unbox the file mode 2015-03-26T22:27:53+00:00 Richard Weinberger richard@nod.at 2015-03-04T22:44:54+00:00 b98b91029cf8a6defc6311d4018c44f3b05fbec7 There is really no point in having a function with 10 arguments. Reported-by: Daniel Walter <d.walter@0x90.at> Signed-off-by: Richard Weinberger <richard@nod.at> 
There is really no point in having a function with 10
arguments.

Reported-by: Daniel Walter <d.walter@0x90.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
hostfs: Use page_offset() 2015-03-26T22:27:53+00:00 Richard Weinberger richard@nod.at 2015-03-04T19:58:39+00:00 af6aa1b9cad7350d675fe3523ab062e0e4c829cb The kernel offers a helper function for that, use it. Signed-off-by: Richard Weinberger <richard@nod.at> 
The kernel offers a helper function for that, use it.

Signed-off-by: Richard Weinberger <richard@nod.at>
hostfs: Set page flags in hostfs_readpage() correctly 2015-03-26T22:27:53+00:00 Richard Weinberger richard@nod.at 2015-03-04T11:44:03+00:00 b86b413a321105cb75373b48fd7ba53fcbc7ec4c In case of an error set the page error flag and clear the up-to-date flag. If the read was successful clear the error flag unconditionally. Signed-off-by: Richard Weinberger <richard@nod.at> 
In case of an error set the page error flag and clear the up-to-date
flag.
If the read was successful clear the error flag unconditionally.

Signed-off-by: Richard Weinberger <richard@nod.at>