[PATCH 04/11] uml - hostfs: avoid possible escapes from hostfs=.

From: Paolo 'Blaisorblade' Giarrusso
Date: Mon Mar 05 2007 - 16:01:58 EST

Next message: Paolo 'Blaisorblade' Giarrusso: "[PATCH 08/11] uml: mark both consoles as CON_ANYTIME"
Previous message: Paolo 'Blaisorblade' Giarrusso: "[PATCH 07/11] uml: remove dead code about os_usr1_signal() and os_usr1_process()"
In reply to: Paolo 'Blaisorblade' Giarrusso: "[PATCH 07/11] uml: remove dead code about os_usr1_signal() and os_usr1_process()"
Next in thread: Jeff Dike: "Re: [PATCH 04/11] uml - hostfs: avoid possible escapes from hostfs=."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo 'Blaisorblade' Giarrusso <blaisorblade@xxxxxxxx>

Avoid accepting things like -o .., -o dir/../../dir2, -o dir/../.. .
This may be considered useless, but YMMV. I consider that this has a limited
security value, exactly like disabling module support (in many case it is
useful).

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@xxxxxxxx>
---

fs/hostfs/hostfs_kern.c | 26 ++++++++++++++++++++++++++
1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
index 9baf697..0bcf7ac 100644
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -936,6 +936,28 @@ static const struct address_space_operations hostfs_link_aops = {
.readpage = hostfs_link_readpage,
};

+static inline int str_ends_with(const char * str, const char* suffix)
+{
+ size_t len = strlen(str), suffix_len = strlen(suffix);
+ return strcmp(str + len - suffix_len, suffix) == 0;
+}
+
+static int contains_dotdot(const char* path)
+{
+ /*
+ * Prevent escaping from hostfs=folder, even if this is not useful to
+ * jail the UML superuser.
+ * Since foo..bar is a valid name, we must look for /../ in the string,
+ * or for ../ at the beginning, /.. at the end, or check whether '..' is
+ * the complete string.
+ */
+
+ return strstr(path, "/../") != NULL ||
+ strcmp(path, "..") == 0 ||
+ strncmp(path, "../", strlen("../")) == 0 ||
+ str_ends_with(path, "/..");
+}
+
static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
{
struct inode *root_inode;
@@ -951,6 +973,10 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
if (data == NULL)
data = "";

+ err = -EINVAL;
+ if (unlikely(contains_dotdot(data)))
+ goto out;
+
err = -ENOMEM;
name = kmalloc(strlen(root_ino) + 1
+ strlen(data) + 1, GFP_KERNEL);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paolo 'Blaisorblade' Giarrusso: "[PATCH 08/11] uml: mark both consoles as CON_ANYTIME"
Previous message: Paolo 'Blaisorblade' Giarrusso: "[PATCH 07/11] uml: remove dead code about os_usr1_signal() and os_usr1_process()"
In reply to: Paolo 'Blaisorblade' Giarrusso: "[PATCH 07/11] uml: remove dead code about os_usr1_signal() and os_usr1_process()"
Next in thread: Jeff Dike: "Re: [PATCH 04/11] uml - hostfs: avoid possible escapes from hostfs=."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]