From: Paolo 'Blaisorblade' Giarrusso <[EMAIL PROTECTED]> Avoid accepting things like -o .., -o dir/../../dir2, -o dir/../.. . This may be considered useless, but YMMV. I consider that this has a limited security value, exactly like disabling module support (in many case it is useful).
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <[EMAIL PROTECTED]> --- fs/hostfs/hostfs_kern.c | 26 ++++++++++++++++++++++++++ 1 files changed, 26 insertions(+), 0 deletions(-) diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c index 9baf697..0bcf7ac 100644 --- a/fs/hostfs/hostfs_kern.c +++ b/fs/hostfs/hostfs_kern.c @@ -936,6 +936,28 @@ static const struct address_space_operations hostfs_link_aops = { .readpage = hostfs_link_readpage, }; +static inline int str_ends_with(const char * str, const char* suffix) +{ + size_t len = strlen(str), suffix_len = strlen(suffix); + return strcmp(str + len - suffix_len, suffix) == 0; +} + +static int contains_dotdot(const char* path) +{ + /* + * Prevent escaping from hostfs=folder, even if this is not useful to + * jail the UML superuser. + * Since foo..bar is a valid name, we must look for /../ in the string, + * or for ../ at the beginning, /.. at the end, or check whether '..' is + * the complete string. + */ + + return strstr(path, "/../") != NULL || + strcmp(path, "..") == 0 || + strncmp(path, "../", strlen("../")) == 0 || + str_ends_with(path, "/.."); +} + static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) { struct inode *root_inode; @@ -951,6 +973,10 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent) if (data == NULL) data = ""; + err = -EINVAL; + if (unlikely(contains_dotdot(data))) + goto out; + err = -ENOMEM; name = kmalloc(strlen(root_ino) + 1 + strlen(data) + 1, GFP_KERNEL); - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/