| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190318202948.GD194307@gmail.com>
Date: Mon, 18 Mar 2019 13:29:49 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: linux-fscrypt@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-ext4@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net,
linux-mtd@...ts.infradead.org, linux-unionfs@...r.kernel.org,
Sarthak Kukreti <sarthakkukreti@...omium.org>,
Gao Xiang <gaoxiang25@...wei.com>
Subject: Re: [PATCH 1/5] fscrypt: clean up and improve dentry revalidation
On Sun, Mar 17, 2019 at 08:38:22PM +0000, Al Viro wrote:
> On Sun, Mar 17, 2019 at 01:04:40PM -0700, Eric Biggers wrote:
> > + /*
> > + * Ciphertext name; valid if the directory's key is still unavailable.
> > + *
> > + * Note: since fscrypt forbids rename() on ciphertext names, it should
> > + * be safe to access ->d_parent directly here.
>
> No, it is not. Again, d_splice_alias() on buggered fs image picking a reference
> to your subdirectory when doing a lookup elsewhere. It can relocate the
> damn thing, without rename() being allowed for _anything_.
You're talking about directory hard links, right? E.g. if there's a directory
with two links a/dir and b/dir, and fscrypt_d_revalidate() is running on 'dir'
via a lookup in a/, it could be the case that b/dir is being concurrently looked
up. Then the concurrent d_splice_alias() will move the whole dentry tree rooted
at 'dir' from a/ to b/ in the dcache. Okay, it looks like you're right; I'll
update my comment to clarify that dget_parent() is still needed...
- Eric
Powered by blists - more mailing lists