首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

ovl: fix possible use after free on redirect dir lookup

ovl_lookup_layer() iterates on path elements of d->name.name
but also frees and allocates a new pointer for d->name.name.

For the case of lookup in upper layer, the initial d->name.name
pointer is stable (dentry->d_name), but for lower layers, the
initial d->name.name can be d->redirect, which can be freed during
iteration.

[SzM]
Keep the count of remaining characters in the redirect path and calculate
the current position from that.  This works becuase only the prefix is
modified, the ending always stays the same.

Fixes: 02b69b284cd7 ("ovl: lookup redirects")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Amir Goldstein 8 年之前
父节点
49def18533
当前提交
4c7d0c9cb7
共有 1 个文件被更改,包括 18 次插入9 次删除
合并视图 显示文件统计
  1. 18 9
      fs/overlayfs/namei.c

+ 18 - 9
fs/overlayfs/namei.c
查看文件 

@@ -154,29 +154,38 @@ out_err:
 
 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
 
 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
 
 			    struct dentry **ret)
 
 			    struct dentry **ret)
 
 {
 
 {
 
-	const char *s = d->name.name;
 
+	/* Counting down from the end, since the prefix can change */
 
+	size_t rem = d->name.len - 1;
 
 	struct dentry *dentry = NULL;
 
 	struct dentry *dentry = NULL;
 
 	int err;
 
 	int err;
 
 
 
-	if (*s != '/')
 
+	if (d->name.name[0] != '/')
 
 		return ovl_lookup_single(base, d, d->name.name, d->name.len,
 
 		return ovl_lookup_single(base, d, d->name.name, d->name.len,
 
 					 0, "", ret);
 
 					 0, "", ret);
 
 
 
-	while (*s++ == '/' && !IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
 
+	while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
 
+		const char *s = d->name.name + d->name.len - rem;
 
 		const char *next = strchrnul(s, '/');
 
 		const char *next = strchrnul(s, '/');
 
-		size_t slen = strlen(s);
 
+		size_t thislen = next - s;
 
+		bool end = !next[0];
 
 
 
-		if (WARN_ON(slen > d->name.len) ||
 
-		    WARN_ON(strcmp(d->name.name + d->name.len - slen, s)))
 
+		/* Verify we did not go off the rails */
 
+		if (WARN_ON(s[-1] != '/'))
 
 			return -EIO;
 
 			return -EIO;
 
 
 
-		err = ovl_lookup_single(base, d, s, next - s,
 
-					d->name.len - slen, next, &base);
 
+		err = ovl_lookup_single(base, d, s, thislen,
 
+					d->name.len - rem, next, &base);
 
 		dput(dentry);
 
 		dput(dentry);
 
 		if (err)
 
 		if (err)
 
 			return err;
 
 			return err;
 
 		dentry = base;
 
 		dentry = base;
 
-		s = next;
 
+		if (end)
 
+			break;
 
+
 
+		rem -= thislen + 1;
 
+
 
+		if (WARN_ON(rem >= d->name.len))
 
+			return -EIO;
 
 	}
 
 	}
 
 	*ret = dentry;
 
 	*ret = dentry;
 
 	return 0;
 
 	return 0;