lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070305204902.9072.1224.stgit@americanbeauty.home.lan>
Date:	Mon, 05 Mar 2007 21:49:02 +0100
From:	Paolo 'Blaisorblade' Giarrusso <blaisorblade@...oo.it>
To:	Andrew Morton <akpm@...l.org>
Cc:	Jeff Dike <jdike@...toit.com>, linux-kernel@...r.kernel.org,
	user-mode-linux-devel@...ts.sourceforge.net
Subject: [PATCH 04/11] uml - hostfs: avoid possible escapes from hostfs=.

From: Paolo 'Blaisorblade' Giarrusso <blaisorblade@...oo.it>

Avoid accepting things like -o .., -o dir/../../dir2, -o dir/../.. .
This may be considered useless, but YMMV. I consider that this has a limited
security value, exactly like disabling module support (in many case it is
useful).

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@...oo.it>
---

 fs/hostfs/hostfs_kern.c |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
index 9baf697..0bcf7ac 100644
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -936,6 +936,28 @@ static const struct address_space_operations hostfs_link_aops = {
 	.readpage	= hostfs_link_readpage,
 };
 
+static inline int str_ends_with(const char * str, const char* suffix)
+{
+	size_t len = strlen(str), suffix_len = strlen(suffix);
+	return strcmp(str + len - suffix_len, suffix) == 0;
+}
+
+static int contains_dotdot(const char* path)
+{
+	/*
+	 * Prevent escaping from hostfs=folder, even if this is not useful to
+	 * jail the UML superuser.
+	 * Since foo..bar is a valid name, we must look for /../ in the string,
+	 * or for ../ at the beginning, /.. at the end, or check whether '..' is
+	 * the complete string.
+	 */
+
+	return  strstr(path, "/../") != NULL ||
+		strcmp(path, "..") == 0 ||
+		strncmp(path, "../", strlen("../")) == 0 ||
+		str_ends_with(path, "/..");
+}
+
 static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
 {
 	struct inode *root_inode;
@@ -951,6 +973,10 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
 	if (data == NULL)
 		data = "";
 
+	err = -EINVAL;
+	if (unlikely(contains_dotdot(data)))
+		goto out;
+
 	err = -ENOMEM;
 	name = kmalloc(strlen(root_ino) + 1
 			+ strlen(data) + 1, GFP_KERNEL);


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ