| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <24270.1407767827@warthog.procyon.org.uk>
Date: Mon, 11 Aug 2014 15:37:07 +0100
From: David Howells <dhowells@...hat.com>
To: Miklos Szeredi <miklos@...redi.hu>
cc: dhowells@...hat.com, viro@...IV.linux.org.uk,
linux-unionfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Race in ovl_copy_up()?
Hi Miklos,
Looking at the following:
int ovl_copy_up(struct dentry *dentry)
{
int err;
err = 0;
while (!err) {
struct dentry *next;
struct dentry *parent;
struct path lowerpath;
struct kstat stat;
enum ovl_path_type type = ovl_path_type(dentry);
if (type != OVL_PATH_LOWER)
break;
next = dget(dentry);
/* find the topmost dentry not yet copied up */
for (;;) {
parent = dget_parent(next);
type = ovl_path_type(parent);
if (type != OVL_PATH_LOWER)
break;
dput(next);
next = parent;
}
ovl_path_lower(next, &lowerpath);
err = vfs_getattr(&lowerpath, &stat);
if (!err)
err = ovl_copy_up_one(parent, next, &lowerpath, &stat);
dput(parent);
dput(next);
}
return err;
}
In the for-loop in the middle, if you ascend any levels at all, how are you
protected from racing with copy-ups taking place on those more rootwards
dentries?
I can see ovl_copy_up_one() using lock_rename() on the workdir and upperdir,
but there's no relevant lock on the overlayfs fs. You stepped out of the lock
the VFS caller holds when you ascended.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists