From: Paolo 'Blaisorblade' Giarrusso <[EMAIL PROTECTED]>
Avoid accepting things like -o .., -o dir/../../dir2, -o dir/../.. .
This may be considered useless, but YMMV. I consider that this has a limited
security value, exactly like disabling module support (in many case it is
useful).
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <[EMAIL PROTECTED]>
---
fs/hostfs/hostfs_kern.c | 26 ++++++++++++++++++++++++++
1 files changed, 26 insertions(+), 0 deletions(-)
diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
index 9baf697..0bcf7ac 100644
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -936,6 +936,28 @@ static const struct address_space_operations
hostfs_link_aops = {
.readpage = hostfs_link_readpage,
};
+static inline int str_ends_with(const char * str, const char* suffix)
+{
+ size_t len = strlen(str), suffix_len = strlen(suffix);
+ return strcmp(str + len - suffix_len, suffix) == 0;
+}
+
+static int contains_dotdot(const char* path)
+{
+ /*
+ * Prevent escaping from hostfs=folder, even if this is not useful to
+ * jail the UML superuser.
+ * Since foo..bar is a valid name, we must look for /../ in the string,
+ * or for ../ at the beginning, /.. at the end, or check whether '..' is
+ * the complete string.
+ */
+
+ return strstr(path, "/../") != NULL ||
+ strcmp(path, "..") == 0 ||
+ strncmp(path, "../", strlen("../")) == 0 ||
+ str_ends_with(path, "/..");
+}
+
static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
{
struct inode *root_inode;
@@ -951,6 +973,10 @@ static int hostfs_fill_sb_common(struct super_block *sb,
void *d, int silent)
if (data == NULL)
data = "";
+ err = -EINVAL;
+ if (unlikely(contains_dotdot(data)))
+ goto out;
+
err = -ENOMEM;
name = kmalloc(strlen(root_ino) + 1
+ strlen(data) + 1, GFP_KERNEL);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
