lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250429183850.211682-1-andrealmeid@igalia.com>
Date: Tue, 29 Apr 2025 15:38:50 -0300
From: André Almeida <andrealmeid@...lia.com>
To: Miklos Szeredi <miklos@...redi.hu>,
	Amir Goldstein <amir73il@...il.com>
Cc: linux-unionfs@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	kernel-dev@...lia.com,
	André Almeida <andrealmeid@...lia.com>,
	John Schoenick <johns@...vesoftware.com>
Subject: [PATCH] ovl: Fix nested backing file paths

When the lowerdir of an overlayfs is a merged directory of another
overlayfs, ovl_open_realfile() will fail to open the real file and point
to a lower dentry copy, without the proper parent path. After this,
d_path() will then display the path incorrectly as if the file is placed
in the root directory.

This bug can be triggered with the following setup:

 mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work
 mkdir -p ovl-B/upper ovl-B/merge ovl-B/work

 cp /bin/cat ovl-A/lower/

 mount -t overlay overlay -o \
 lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \
 ovl-A/merge

 mount -t overlay overlay -o \
 lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \
 ovl-B/merge

 ovl-A/merge/cat /proc/self/maps | grep --color cat
 ovl-B/merge/cat /proc/self/maps | grep --color cat

The first cat will correctly show `/ovl-A/merge/cat`, while the second
one shows just `/cat`.

To fix that, uses file_user_path() inside of backing_file_open() to get
the correct file path for the dentry.

Co-developed-by: John Schoenick <johns@...vesoftware.com>
Signed-off-by: John Schoenick <johns@...vesoftware.com>
Signed-off-by: André Almeida <andrealmeid@...lia.com>
---
 fs/overlayfs/file.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 969b458100fe..dfea7bd800cb 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -48,8 +48,8 @@ static struct file *ovl_open_realfile(const struct file *file,
 		if (!inode_owner_or_capable(real_idmap, realinode))
 			flags &= ~O_NOATIME;
 
-		realfile = backing_file_open(&file->f_path, flags, realpath,
-					     current_cred());
+		realfile = backing_file_open(file_user_path((struct file *) file),
+					     flags, realpath, current_cred());
 	}
 	ovl_revert_creds(old_cred);
 
-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ