| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <85d06mkkv5.fsf@collabora.com>
Date: Sat, 30 May 2020 02:17:02 -0400
From: Gabriel Krisman Bertazi <krisman@...labora.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-ext4@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-f2fs-devel@...ts.sourceforge.net, stable@...r.kernel.org,
Al Viro <viro@...iv.linux.org.uk>,
Daniel Rosenberg <drosen@...gle.com>,
Gabriel Krisman Bertazi <krisman@...labora.co.uk>
Subject: Re: [PATCH] ext4: avoid utf8_strncasecmp() with unstable name
Eric Biggers <ebiggers@...nel.org> writes:
> From: Eric Biggers <ebiggers@...gle.com>
>
> If the dentry name passed to ->d_compare() fits in dentry::d_iname, then
> it may be concurrently modified by a rename. This can cause undefined
> behavior (possibly out-of-bounds memory accesses or crashes) in
> utf8_strncasecmp(), since fs/unicode/ isn't written to handle strings
> that may be concurrently modified.
>
> Fix this by first copying the filename to a stack buffer if needed.
> This way we get a stable snapshot of the filename.
>
> Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups")
> Cc: <stable@...r.kernel.org> # v5.2+
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: Daniel Rosenberg <drosen@...gle.com>
> Cc: Gabriel Krisman Bertazi <krisman@...labora.co.uk>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> ---
> fs/ext4/dir.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
> index c654205f648dd..19aef8328bb18 100644
> --- a/fs/ext4/dir.c
> +++ b/fs/ext4/dir.c
> @@ -675,6 +675,7 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
> struct qstr qstr = {.name = str, .len = len };
> const struct dentry *parent = READ_ONCE(dentry->d_parent);
> const struct inode *inode = READ_ONCE(parent->d_inode);
> + char strbuf[DNAME_INLINE_LEN];
>
> if (!inode || !IS_CASEFOLDED(inode) ||
> !EXT4_SB(inode->i_sb)->s_encoding) {
> @@ -683,6 +684,22 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
> return memcmp(str, name->name, len);
> }
>
> + /*
> + * If the dentry name is stored in-line, then it may be concurrently
> + * modified by a rename. If this happens, the VFS will eventually retry
> + * the lookup, so it doesn't matter what ->d_compare() returns.
> + * However, it's unsafe to call utf8_strncasecmp() with an unstable
> + * string. Therefore, we have to copy the name into a temporary buffer.
> + */
> + if (len <= DNAME_INLINE_LEN - 1) {
> + unsigned int i;
> +
> + for (i = 0; i < len; i++)
> + strbuf[i] = READ_ONCE(str[i]);
> + strbuf[len] = 0;
> + qstr.name = strbuf;
> + }
> +
Could we avoid this if the casefolded version were cached in the dentry?
Then we could use utf8_strncasecmp_folded which would be safe. Would
this be acceptable for vfs?
> return ext4_ci_compare(inode, name, &qstr, false);
> }
--
Gabriel Krisman Bertazi
Powered by blists - more mailing lists