lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH2r5mtCCSY0eLARtzi4LZF3tCmPec7DSJ=h47h09fo--_D49g@mail.gmail.com>
Date: Sun, 6 Oct 2024 22:59:18 -0500
From: Steve French <smfrench@...il.com>
To: Pali Rohár <pali@...nel.org>
Cc: Steve French <sfrench@...ba.org>, Paulo Alcantara <pc@...guebit.com>, 
	Ronnie Sahlberg <ronniesahlberg@...il.com>, linux-cifs@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 6/6] cifs: Fix creating and resolving absolute NT-style symlinks

This patch had a merge conflict in fs_context.h and wouldn't apply
cleanly.   Do you have a git branch with this series (or all three
recent patch series) applied on 6.12-rc2?

On Sat, Oct 5, 2024 at 9:04 AM Pali Rohár <pali@...nel.org> wrote:
>
> If the SMB symlink is stored on NT server in absolute form then it points
> to the NT object hierarchy, which is different from POSIX one and needs
> some conversion / mapping.
>
> To make interoperability with Windows SMB server and WSL subsystem, reuse
> its logic of mapping between NT paths and POSIX paths into Linux SMB
> client.
>
> WSL subsystem on Windows uses for -t drvfs mount option -o symlinkroot=
> which specifies the POSIX path where are expected to be mounted lowercase
> Windows drive letters (without colon).
>
> Do same for Linux SMB client and add a new mount option -o symlinkroot=
> which mimics the drvfs mount option of the same name. It specifies where in
> the Linux VFS hierarchy is the root of the DOS / Windows drive letters, and
> translates between absolute NT-style symlinks and absolute Linux VFS
> symlinks. Default value of symlinkroot is "/mnt", same what is using WSL.
>
> Note that DOS / Windows drive letter symlinks are just subset of all
> possible NT-style symlinks. Drive letters live in NT subtree \??\ and
> important details about NT paths and object hierarchy are in the comments
> in this change.
>
> When symlink target location from non-POSIX SMB server is in absolute form
> (indicated by absence of SYMLINK_FLAG_RELATIVE) then it is converted to
> Linux absolute symlink according to symlinkroot configuration.
>
> And when creating a new symlink on non-POSIX SMB server in absolute form
> then Linux absolute target is converted to NT-style according to
> symlinkroot configuration.
>
> When SMB server is POSIX, then this change does not affect neither reading
> target location of symlink, nor creating a new symlink. It is expected that
> POSIX SMB server works with POSIX paths where the absolute root is /.
>
> This change improves interoperability of absolute SMB symlinks with Windows
> SMB servers.
>
> Signed-off-by: Pali Rohár <pali@...nel.org>
> ---
>  fs/smb/client/fs_context.c |  22 +++
>  fs/smb/client/fs_context.h |   2 +
>  fs/smb/client/reparse.c    | 267 ++++++++++++++++++++++++++++++++++---
>  3 files changed, 273 insertions(+), 18 deletions(-)
>
> diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
> index 2f0c3894b0f7..22b550860cc8 100644
> --- a/fs/smb/client/fs_context.c
> +++ b/fs/smb/client/fs_context.c
> @@ -178,6 +178,7 @@ const struct fs_parameter_spec smb3_fs_parameters[] = {
>         fsparam_string("sec", Opt_sec),
>         fsparam_string("cache", Opt_cache),
>         fsparam_string("reparse", Opt_reparse),
> +       fsparam_string("symlinkroot", Opt_symlinkroot),
>
>         /* Arguments that should be ignored */
>         fsparam_flag("guest", Opt_ignore),
> @@ -355,6 +356,7 @@ smb3_fs_context_dup(struct smb3_fs_context *new_ctx, struct smb3_fs_context *ctx
>         new_ctx->source = NULL;
>         new_ctx->iocharset = NULL;
>         new_ctx->leaf_fullpath = NULL;
> +       new_ctx->symlinkroot = NULL;
>         /*
>          * Make sure to stay in sync with smb3_cleanup_fs_context_contents()
>          */
> @@ -369,6 +371,7 @@ smb3_fs_context_dup(struct smb3_fs_context *new_ctx, struct smb3_fs_context *ctx
>         DUP_CTX_STR(nodename);
>         DUP_CTX_STR(iocharset);
>         DUP_CTX_STR(leaf_fullpath);
> +       DUP_CTX_STR(symlinkroot);
>
>         return 0;
>  }
> @@ -1614,9 +1617,26 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
>                 if (parse_reparse_flavor(fc, param->string, ctx))
>                         goto cifs_parse_mount_err;
>                 break;
> +       case Opt_symlinkroot:
> +               if (param->string[0] != '/') {
> +                       cifs_errorf(fc, "symlinkroot mount options must be absolute path\n");
> +                       goto cifs_parse_mount_err;
> +               }
> +               kfree(ctx->symlinkroot);
> +               ctx->symlinkroot = kstrdup(param->string, GFP_KERNEL);
> +               if (!ctx->symlinkroot)
> +                       goto cifs_parse_mount_err;
> +               break;
>         }
>         /* case Opt_ignore: - is ignored as expected ... */
>
> +       /*
> +        * By default resolve all native absolute symlinks relative to "/mnt/".
> +        * Same default has drvfs driver running in WSL for resolving SMB shares.
> +        */
> +       if (!ctx->symlinkroot)
> +               ctx->symlinkroot = kstrdup("/mnt/", GFP_KERNEL);
> +
>         return 0;
>
>   cifs_parse_mount_err:
> @@ -1747,6 +1767,8 @@ smb3_cleanup_fs_context_contents(struct smb3_fs_context *ctx)
>         ctx->prepath = NULL;
>         kfree(ctx->leaf_fullpath);
>         ctx->leaf_fullpath = NULL;
> +       kfree(ctx->symlinkroot);
> +       ctx->symlinkroot = NULL;
>  }
>
>  void
> diff --git a/fs/smb/client/fs_context.h b/fs/smb/client/fs_context.h
> index cf577ec0dd0a..8dd12498ffd8 100644
> --- a/fs/smb/client/fs_context.h
> +++ b/fs/smb/client/fs_context.h
> @@ -157,6 +157,7 @@ enum cifs_param {
>         Opt_sec,
>         Opt_cache,
>         Opt_reparse,
> +       Opt_symlinkroot,
>
>         /* Mount options to be ignored */
>         Opt_ignore,
> @@ -284,6 +285,7 @@ struct smb3_fs_context {
>         struct cifs_ses *dfs_root_ses;
>         bool dfs_automount:1; /* set for dfs automount only */
>         enum cifs_reparse_type reparse_type;
> +       char *symlinkroot; /* top level directory for native SMB symlinks in absolute format */
>  };
>
>  extern const struct fs_parameter_spec smb3_fs_parameters[];
> diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
> index fb1d16b17f38..a577b2d2a4fc 100644
> --- a/fs/smb/client/reparse.c
> +++ b/fs/smb/client/reparse.c
> @@ -25,33 +25,128 @@ int smb2_create_reparse_symlink(const unsigned int xid, struct inode *inode,
>                                 const char *full_path, const char *symname)
>  {
>         struct reparse_symlink_data_buffer *buf = NULL;
> -       struct cifs_open_info_data data;
> +       struct cifs_open_info_data data = {};
>         struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
>         struct inode *new;
>         struct kvec iov;
> -       __le16 *path;
> +       __le16 *path = NULL;
>         bool directory;
> -       char *sym, sep = CIFS_DIR_SEP(cifs_sb);
> -       u16 len, plen;
> +       char *symlink_target = NULL;
> +       char *sym = NULL;
> +       char sep = CIFS_DIR_SEP(cifs_sb);
> +       u16 len, plen, poff, slen;
>         int rc = 0;
>
> -       sym = kstrdup(symname, GFP_KERNEL);
> -       if (!sym)
> -               return -ENOMEM;
> +       symlink_target = kstrdup(symname, GFP_KERNEL);
> +       if (!symlink_target) {
> +               rc = -ENOMEM;
> +               goto out;
> +       }
>
>         data = (struct cifs_open_info_data) {
>                 .reparse_point = true,
>                 .reparse = { .tag = IO_REPARSE_TAG_SYMLINK, },
> -               .symlink_target = sym,
> +               .symlink_target = symlink_target,
>         };
>
> -       convert_delimiter(sym, sep);
> +       if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && symname[0] == '/') {
> +               /*
> +                * This is a request to create an absolute symlink on the server
> +                * which does not support POSIX paths, and expects symlink in
> +                * NT-style path. So convert absolute Linux symlink target path
> +                * to the absolute NT-style path. Root of the NT-style path for
> +                * symlinks is specified in "symlinkroot" mount option. This will
> +                * ensure compatibility of this symlink stored in absolute form
> +                * on the SMB server.
> +                */
> +               if (!strstarts(symname, cifs_sb->ctx->symlinkroot)) {
> +                       /*
> +                        * If the absolute Linux symlink target path is not
> +                        * inside "symlinkroot" location then there is no way
> +                        * to convert such Linux symlink to NT-style path.
> +                        */
> +                       cifs_dbg(VFS,
> +                                "absolute symlink '%s' cannot be converted to NT format "
> +                                "because it is outside of symlinkroot='%s'\n",
> +                                symname, cifs_sb->ctx->symlinkroot);
> +                       rc = -EINVAL;
> +                       goto out;
> +               }
> +               len = strlen(cifs_sb->ctx->symlinkroot);
> +               if (cifs_sb->ctx->symlinkroot[len-1] != '/')
> +                       len++;
> +               if (symname[len] >= 'a' && symname[len] <= 'z' &&
> +                   (symname[len+1] == '/' || symname[len+1] == '\0')) {
> +                       /*
> +                        * Symlink points to Linux target /symlinkroot/x/path/...
> +                        * where 'x' is the lowercase local Windows drive.
> +                        * NT-style path for 'x' has common form \??\X:\path\...
> +                        * with uppercase local Windows drive.
> +                        */
> +                       int common_path_len = strlen(symname+len+1)+1;
> +                       sym = kzalloc(6+common_path_len, GFP_KERNEL);
> +                       if (!sym) {
> +                               rc = -ENOMEM;
> +                               goto out;
> +                       }
> +                       memcpy(sym, "\\??\\", 4);
> +                       sym[4] = symname[len] - ('a'-'A');
> +                       sym[5] = ':';
> +                       memcpy(sym+6, symname+len+1, common_path_len);
> +               } else {
> +                       /* Unhandled absolute symlink. Report an error. */
> +                       cifs_dbg(
> +                                VFS,
> +                                "absolute symlink '%s' cannot be converted to NT format "
> +                                "because it points to unknown target\n",
> +                                symname);
> +                       rc = -EINVAL;
> +                       goto out;
> +               }
> +       } else {
> +               /*
> +                * This is request to either create an absolute symlink on
> +                * server which expects POSIX paths or it is an request to
> +                * create a relative symlink from the current directory.
> +                * These paths have same format as relative SMB symlinks,
> +                * so no conversion is needed. So just take symname as-is.
> +                */
> +               sym = kstrdup(symname, GFP_KERNEL);
> +               if (!sym) {
> +                       rc = -ENOMEM;
> +                       goto out;
> +               }
> +       }
> +
> +       if (sep == '\\')
> +               convert_delimiter(sym, sep);
> +
> +       /*
> +        * For absolute NT symlinks it is required to pass also leading
> +        * backslash and to not mangle NT object prefix "\\??\\" and not to
> +        * mangle colon in drive letter. But cifs_convert_path_to_utf16()
> +        * removes leading backslash and replaces '?' and ':'. So temporary
> +        * mask these characters in NT object prefix by '_' and then change
> +        * them back.
> +        */
> +       if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && symname[0] == '/')
> +               sym[0] = sym[1] = sym[2] = sym[5] = '_';
> +
>         path = cifs_convert_path_to_utf16(sym, cifs_sb);
>         if (!path) {
>                 rc = -ENOMEM;
>                 goto out;
>         }
>
> +       if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && symname[0] == '/') {
> +               sym[0] = '\\';
> +               sym[1] = sym[2] = '?';
> +               sym[5] = ':';
> +               path[0] = '\\';
> +               path[1] = path[2] = '?';
> +               path[5] = ':';
> +       }
> +
>         /*
>          * SMB distinguish between symlink to directory and symlink to file.
>          * They cannot be exchanged (symlink of file type which points to
> @@ -64,8 +159,18 @@ int smb2_create_reparse_symlink(const unsigned int xid, struct inode *inode,
>         if (rc < 0)
>                 goto out;
>
> -       plen = 2 * UniStrnlen((wchar_t *)path, PATH_MAX);
> -       len = sizeof(*buf) + plen * 2;
> +       slen = 2 * UniStrnlen((wchar_t *)path, PATH_MAX);
> +       poff = 0;
> +       plen = slen;
> +       if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && symname[0] == '/') {
> +               /*
> +                * For absolute NT symlinks skip leading "\\??\\" in PrintName as
> +                * PrintName is user visible location in DOS/Win32 format (not in NT format).
> +                */
> +               poff = 4;
> +               plen -= 2 * poff;
> +       }
> +       len = sizeof(*buf) + plen + slen;
>         buf = kzalloc(len, GFP_KERNEL);
>         if (!buf) {
>                 rc = -ENOMEM;
> @@ -74,17 +179,17 @@ int smb2_create_reparse_symlink(const unsigned int xid, struct inode *inode,
>
>         buf->ReparseTag = cpu_to_le32(IO_REPARSE_TAG_SYMLINK);
>         buf->ReparseDataLength = cpu_to_le16(len - sizeof(struct reparse_data_buffer));
> +
>         buf->SubstituteNameOffset = cpu_to_le16(plen);
> -       buf->SubstituteNameLength = cpu_to_le16(plen);
> -       memcpy(&buf->PathBuffer[plen], path, plen);
> +       buf->SubstituteNameLength = cpu_to_le16(slen);
> +       memcpy(&buf->PathBuffer[plen], path, slen);
> +
>         buf->PrintNameOffset = 0;
>         buf->PrintNameLength = cpu_to_le16(plen);
> -       memcpy(buf->PathBuffer, path, plen);
> +       memcpy(buf->PathBuffer, path+poff, plen);
> +
>         buf->Flags = cpu_to_le32(*symname != '/' ? SYMLINK_FLAG_RELATIVE : 0);
> -       if (*sym != sep)
> -               buf->Flags = cpu_to_le32(SYMLINK_FLAG_RELATIVE);
>
> -       convert_delimiter(sym, '/');
>         iov.iov_base = buf;
>         iov.iov_len = len;
>         new = smb2_get_reparse_inode(&data, inode->i_sb, xid,
> @@ -95,6 +200,7 @@ int smb2_create_reparse_symlink(const unsigned int xid, struct inode *inode,
>         else
>                 rc = PTR_ERR(new);
>  out:
> +       kfree(sym);
>         kfree(path);
>         cifs_free_open_info(&data);
>         kfree(buf);
> @@ -540,6 +646,9 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
>         char sep = CIFS_DIR_SEP(cifs_sb);
>         char *linux_target = NULL;
>         char *smb_target = NULL;
> +       int symlinkroot_len;
> +       int abs_path_len;
> +       char *abs_path;
>         int levels;
>         int rc;
>         int i;
> @@ -569,7 +678,123 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
>                 goto out;
>         }
>
> -       if (smb_target[0] == sep && relative) {
> +       if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && !relative) {
> +               /*
> +                * This is an absolute symlink from the server which does not
> +                * support POSIX paths, so the symlink is in NT-style path.
> +                * So convert it to absolute Linux symlink target path. Root of
> +                * the NT-style path for symlinks is specified in "symlinkroot"
> +                * mount option.
> +                *
> +                * Root of the DOS and Win32 paths is at NT path \??\
> +                * It means that DOS/Win32 path C:\folder\file.txt is
> +                * NT path \??\C:\folder\file.txt
> +                *
> +                * NT systems have some well-known object symlinks in their NT
> +                * hierarchy, which is needed to take into account when resolving
> +                * other symlinks. Most commonly used symlink paths are:
> +                * \?? -> \GLOBAL??
> +                * \DosDevices -> \??
> +                * \GLOBAL??\GLOBALROOT -> \
> +                * \GLOBAL??\Global -> \GLOBAL??
> +                * \GLOBAL??\NUL -> \Device\Null
> +                * \GLOBAL??\UNC -> \Device\Mup
> +                * \GLOBAL??\PhysicalDrive0 -> \Device\Harddisk0\DR0 (for each harddisk)
> +                * \GLOBAL??\A: -> \Device\Floppy0 (if A: is the first floppy)
> +                * \GLOBAL??\C: -> \Device\HarddiskVolume1 (if C: is the first harddisk)
> +                * \GLOBAL??\D: -> \Device\CdRom0 (if D: is first cdrom)
> +                * \SystemRoot -> \Device\Harddisk0\Partition1\WINDOWS (or where is NT system installed)
> +                * \Volume{...} -> \Device\HarddiskVolume1 (where ... is system generated guid)
> +                *
> +                * In most common cases, absolute NT symlinks points to path on
> +                * DOS/Win32 drive letter, system-specific Volume or on UNC share.
> +                * Here are few examples of commonly used absolute NT symlinks
> +                * created by mklink.exe tool:
> +                * \??\C:\folder\file.txt
> +                * \??\\C:\folder\file.txt
> +                * \??\UNC\server\share\file.txt
> +                * \??\\UNC\server\share\file.txt
> +                * \??\Volume{b75e2c83-0000-0000-0000-602f00000000}\folder\file.txt
> +                *
> +                * It means that the most common path prefix \??\ is also NT path
> +                * symlink (to \GLOBAL??). It is less common that second path
> +                * separator is double backslash, but it is valid.
> +                *
> +                * Volume guid is randomly generated by the target system and so
> +                * only the target system knows the mapping between guid and the
> +                * hardisk number. Over SMB it is not possible to resolve this
> +                * mapping, therefore symlinks pointing to target location of
> +                * volume guids are totally unusable over SMB.
> +                *
> +                * For now parse only symlink paths available for DOS and Win32.
> +                * Those are paths with \??\ prefix or paths which points to \??\
> +                * via other NT symlink (\DosDevices\, \GLOBAL??\, ...).
> +                */
> +               abs_path = smb_target;
> +globalroot:
> +               if (strstarts(abs_path, "\\??\\"))
> +                       abs_path += sizeof("\\??\\")-1;
> +               else if (strstarts(abs_path, "\\DosDevices\\"))
> +                       abs_path += sizeof("\\DosDevices\\")-1;
> +               else if (strstarts(abs_path, "\\GLOBAL??\\"))
> +                       abs_path += sizeof("\\GLOBAL??\\")-1;
> +               else {
> +                       /* Unhandled absolute symlink, points outside of DOS/Win32 */
> +                       cifs_dbg(VFS,
> +                                "absolute symlink '%s' cannot be converted from NT format "
> +                                "because points to unknown target\n",
> +                                smb_target);
> +                       rc = -EIO;
> +                       goto out;
> +               }
> +
> +               /* Sometimes path separator after \?? is double backslash */
> +               if (abs_path[0] == '\\')
> +                       abs_path++;
> +
> +               while (strstarts(abs_path, "Global\\"))
> +                       abs_path += sizeof("Global\\")-1;
> +
> +               if (strstarts(abs_path, "GLOBALROOT\\")) {
> +                       /* Label globalroot requires path with leading '\\', so do not trim '\\' */
> +                       abs_path += sizeof("GLOBALROOT")-1;
> +                       goto globalroot;
> +               }
> +
> +               /* For now parse only paths to drive letters */
> +               if (((abs_path[0] >= 'A' && abs_path[0] <= 'Z') ||
> +                    (abs_path[0] >= 'a' && abs_path[0] <= 'z')) &&
> +                   abs_path[1] == ':' &&
> +                   (abs_path[2] == '\\' || abs_path[2] == '\0')) {
> +                       /* Convert drive letter to lowercase and drop colon */
> +                       char drive_letter = abs_path[0];
> +                       if (drive_letter >= 'A' && drive_letter <= 'Z')
> +                               drive_letter += 'a'-'A';
> +                       abs_path++;
> +                       abs_path[0] = drive_letter;
> +               } else {
> +                       /* Unhandled absolute symlink. Report an error. */
> +                       cifs_dbg(VFS,
> +                                "absolute symlink '%s' cannot be converted from NT format "
> +                                "because points to unknown target\n",
> +                                smb_target);
> +                       rc = -EIO;
> +                       goto out;
> +               }
> +
> +               abs_path_len = strlen(abs_path)+1;
> +               symlinkroot_len = strlen(cifs_sb->ctx->symlinkroot);
> +               if (cifs_sb->ctx->symlinkroot[symlinkroot_len-1] == '/')
> +                       symlinkroot_len--;
> +               linux_target = kmalloc(symlinkroot_len + 1 + abs_path_len, GFP_KERNEL);
> +               if (!linux_target) {
> +                       rc = -ENOMEM;
> +                       goto out;
> +               }
> +               memcpy(linux_target, cifs_sb->ctx->symlinkroot, symlinkroot_len);
> +               linux_target[symlinkroot_len] = '/';
> +               memcpy(linux_target + symlinkroot_len + 1, abs_path, abs_path_len);
> +       } else if (smb_target[0] == sep && relative) {
>                 /*
>                  * This is a relative SMB symlink from the top of the share,
>                  * which is the top level directory of the Linux mount point.
> @@ -598,6 +823,12 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
>                 }
>                 memcpy(linux_target + levels*3, smb_target+1, smb_target_len); /* +1 to skip leading sep */
>         } else {
> +               /*
> +                * This is either an absolute symlink in POSIX-style format
> +                * or relative SMB symlink from the current directory.
> +                * These paths have same format as Linux symlinks, so no
> +                * conversion is needed.
> +                */
>                 linux_target = smb_target;
>                 smb_target = NULL;
>         }
> --
> 2.20.1
>
>


-- 
Thanks,

Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ