LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@suse.de>
To: linux-kernel@vger.kernel.org
Cc: James Morris <jmorris@namei.org>,
Nagendra Singh Tomar <nagendra_tomar@adaptec.com>,
Tejun Heo <htejun@gmail.com>, Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 41/46] security: prevent permission checking of file removal via sysfs_remove_group()
Date: Fri, 27 Apr 2007 11:53:55 -0700 [thread overview]
Message-ID: <11777001931075-git-send-email-gregkh@suse.de> (raw)
In-Reply-To: <11777001891914-git-send-email-gregkh@suse.de>
From: James Morris <jmorris@namei.org>
Prevent permission checking from being performed when the kernel wants to
unconditionally remove a sysfs group, by introducing an kernel-only variant
of lookup_one_len(), lookup_one_len_kern().
Additionally, as sysfs_remove_group() does not check the return value of
the lookup before using it, a BUG_ON has been added to pinpoint the cause
of any problems potentially caused by this (and as a form of annotation).
Signed-off-by: James Morris <jmorris@namei.org>
Cc: Nagendra Singh Tomar <nagendra_tomar@adaptec.com>
Cc: Tejun Heo <htejun@gmail.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/namei.c | 72 +++++++++++++++++++++++++++++++++++-------------
fs/sysfs/group.c | 6 +++-
include/linux/namei.h | 1 +
3 files changed, 57 insertions(+), 22 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index ee60cc4..880052c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1243,22 +1243,13 @@ int __user_path_lookup_open(const char __user *name, unsigned int lookup_flags,
return err;
}
-/*
- * Restricted form of lookup. Doesn't follow links, single-component only,
- * needs parent already locked. Doesn't follow mounts.
- * SMP-safe.
- */
-static struct dentry * __lookup_hash(struct qstr *name, struct dentry * base, struct nameidata *nd)
+static inline struct dentry *__lookup_hash_kern(struct qstr *name, struct dentry *base, struct nameidata *nd)
{
- struct dentry * dentry;
+ struct dentry *dentry;
struct inode *inode;
int err;
inode = base->d_inode;
- err = permission(inode, MAY_EXEC, nd);
- dentry = ERR_PTR(err);
- if (err)
- goto out;
/*
* See if the low-level filesystem might want
@@ -1287,35 +1278,76 @@ out:
return dentry;
}
+/*
+ * Restricted form of lookup. Doesn't follow links, single-component only,
+ * needs parent already locked. Doesn't follow mounts.
+ * SMP-safe.
+ */
+static inline struct dentry * __lookup_hash(struct qstr *name, struct dentry *base, struct nameidata *nd)
+{
+ struct dentry *dentry;
+ struct inode *inode;
+ int err;
+
+ inode = base->d_inode;
+
+ err = permission(inode, MAY_EXEC, nd);
+ dentry = ERR_PTR(err);
+ if (err)
+ goto out;
+
+ dentry = __lookup_hash_kern(name, base, nd);
+out:
+ return dentry;
+}
+
static struct dentry *lookup_hash(struct nameidata *nd)
{
return __lookup_hash(&nd->last, nd->dentry, nd);
}
/* SMP-safe */
-struct dentry * lookup_one_len(const char * name, struct dentry * base, int len)
+static inline int __lookup_one_len(const char *name, struct qstr *this, struct dentry *base, int len)
{
unsigned long hash;
- struct qstr this;
unsigned int c;
- this.name = name;
- this.len = len;
+ this->name = name;
+ this->len = len;
if (!len)
- goto access;
+ return -EACCES;
hash = init_name_hash();
while (len--) {
c = *(const unsigned char *)name++;
if (c == '/' || c == '\0')
- goto access;
+ return -EACCES;
hash = partial_name_hash(c, hash);
}
- this.hash = end_name_hash(hash);
+ this->hash = end_name_hash(hash);
+ return 0;
+}
+struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
+{
+ int err;
+ struct qstr this;
+
+ err = __lookup_one_len(name, &this, base, len);
+ if (err)
+ return ERR_PTR(err);
return __lookup_hash(&this, base, NULL);
-access:
- return ERR_PTR(-EACCES);
+}
+
+struct dentry *lookup_one_len_kern(const char *name, struct dentry *base, int len)
+{
+ int err;
+ struct qstr this;
+
+ err = __lookup_one_len(name, &this, base, len);
+ if (err)
+ return ERR_PTR(err);
+ return __lookup_hash_kern(&this, base, NULL);
}
/*
diff --git a/fs/sysfs/group.c b/fs/sysfs/group.c
index b20951c..52eed2a 100644
--- a/fs/sysfs/group.c
+++ b/fs/sysfs/group.c
@@ -70,9 +70,11 @@ void sysfs_remove_group(struct kobject * kobj,
{
struct dentry * dir;
- if (grp->name)
- dir = lookup_one_len(grp->name, kobj->dentry,
+ if (grp->name) {
+ dir = lookup_one_len_kern(grp->name, kobj->dentry,
strlen(grp->name));
+ BUG_ON(IS_ERR(dir));
+ }
else
dir = dget(kobj->dentry);
diff --git a/include/linux/namei.h b/include/linux/namei.h
index d39a5a6..b7dd249 100644
--- a/include/linux/namei.h
+++ b/include/linux/namei.h
@@ -82,6 +82,7 @@ extern struct file *nameidata_to_filp(struct nameidata *nd, int flags);
extern void release_open_intent(struct nameidata *);
extern struct dentry * lookup_one_len(const char *, struct dentry *, int);
+extern struct dentry *lookup_one_len_kern(const char *, struct dentry *, int);
extern int follow_down(struct vfsmount **, struct dentry **);
extern int follow_up(struct vfsmount **, struct dentry **);
--
1.5.1.2
next prev parent reply other threads:[~2007-04-27 19:00 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-27 18:51 [GIT PATCH] Driver core patches for 2.6.21 Greg KH
2007-04-27 18:53 ` [PATCH 01/46] driver core: fix device_add error path Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 02/46] driver core: fix namespace issue with devices assigned to classes Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 03/46] dev_printk and new-style class devices Greg Kroah-Hartman
[not found] ` <11777000511784-git-send-email-gregkh@suse.de>
2007-04-27 18:53 ` [PATCH 05/46] driver core: Use attribute groups in struct device_type Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 06/46] Driver core: add name to device_type Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 07/46] kobject: kobject_shadow_add cleanup Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 08/46] driver core: per-subsystem multithreaded probing Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 09/46] powerpc: make it compile for multithread change Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 10/46] driver core: don't fail attaching the device if it cannot be bound Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 11/46] Driver core: remove unneeded completion from driver release path Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 12/46] kref: fix CPU ordering with respect to krefs Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 13/46] Driver core: notify userspace of network device renames Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 14/46] Driver core: suppress uevents via filter Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 15/46] Driver core: switch firmware_class to uevent_suppress Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 16/46] uevent: use add_uevent_var() instead of open coding it Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 17/46] Driver core: add suspend() and resume() to struct device_type Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 18/46] Kobject: kobject_uevent.c: Collapse unnecessary loop nesting (top_kobj) Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 19/46] kobject: kobject_add() reference leak Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 20/46] Driver core: remove use of rwsem Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 21/46] SCSI: use the proper semaphore to protect the class lists Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 22/46] USB: remove use of the bus rwsem, as it doesn't really protect anything Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 23/46] PNP: stop using the subsystem rwsem Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 24/46] Input: serio - do not touch bus's rwsem Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 25/46] Input: gameport " Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 26/46] IDE: remove rwsem use from ide-proc core Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 27/46] IEEE1394: remove rwsem use from ieee1394 core Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 28/46] PHY: remove rwsem use from phy core Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 29/46] qeth: Remove usage of subsys.rwsem Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 30/46] kobject core: remove rwsem from struct subsystem Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 31/46] Driver core: make uevent-environment available in uevent-file Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 32/46] Driver core: warn when userspace writes to the uevent file in a non-supported way Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 33/46] kobject: Comment and warning fixes to kobject.c Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 34/46] the overdue removal of the mount/umount uevents Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 35/46] debugfs: Add debugfs_create_u64() Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 36/46] driver core: bus_add_driver should return an error if no bus Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 37/46] Driver core: use mutex instead of semaphore in DMA pool handler Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 38/46] sysfs: bin.c printk fix Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 39/46] s390: cio: Delay uevents for subchannels Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 40/46] device_schedule_callback() needs a module reference Greg Kroah-Hartman
2007-04-27 18:53 ` Greg Kroah-Hartman [this message]
2007-04-27 18:53 ` [PATCH 42/46] define platform wakeup hook, use in pci_enable_wake() Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 43/46] s2ram: add arch irq disable/enable hooks Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 44/46] mod_sysfs_setup() doesn't return errno when kobject_add_dir() failure occurs Greg Kroah-Hartman
2007-04-27 18:53 ` [PATCH 45/46] drivers/base/attribute_container.c: use mutex instead of binary semaphore Greg Kroah-Hartman
2007-04-27 18:54 ` [PATCH 46/46] dev_dbg: check dev_dbg() arguments Greg Kroah-Hartman
2007-04-27 21:11 ` [PATCH 28/46] PHY: remove rwsem use from phy core Andy Fleming
2007-04-27 20:27 ` [PATCH 04/46] Driver core: udev triggered device-driver binding Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11777001931075-git-send-email-gregkh@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=htejun@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nagendra_tomar@adaptec.com \
--cc=sds@tycho.nsa.gov \
--subject='Re: [PATCH 41/46] security: prevent permission checking of file removal via sysfs_remove_group()' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).