1
From: Jeff Mahoney <jeffm@suse.com>
2
Date: Fri, 23 Apr 2010 13:17:37 -0400
3
Subject: [PATCH] reiserfs: fix permissions on .reiserfs_priv
5
commit cac36f707119b792b2396aed371d6b5cdc194890 upstream.
7
Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove
8
privroot hiding in lookup") removed the magic from the lookup code to hide
9
the .reiserfs_priv directory since it was getting loaded at mount-time
10
instead. The intent was that the entry would be hidden from the user via
11
a poisoned d_compare, but this was faulty.
13
This introduced a security issue where unprivileged users could access and
14
modify extended attributes or ACLs belonging to other users, including
17
This patch resolves the issue by properly hiding .reiserfs_priv. This was
18
the intent of the xattr poisoning code, but it appears to have never
19
worked as expected. This is fixed by using d_revalidate instead of
22
This patch makes -oexpose_privroot a no-op. I'm fine leaving it this way.
23
The effort involved in working out the corner cases wrt permissions and
24
caching outweigh the benefit of the feature.
26
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
27
Acked-by: Edward Shishkin <edward.shishkin@gmail.com>
28
Reported-by: Matt McCutchen <matt@mattmccutchen.net>
29
Tested-by: Matt McCutchen <matt@mattmccutchen.net>
30
Cc: Frederic Weisbecker <fweisbec@gmail.com>
31
Cc: Al Viro <viro@zeniv.linux.org.uk>
32
Cc: <stable@kernel.org>
33
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
34
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
35
References: bnc#593906 CVE-2010-1146
37
fs/reiserfs/dir.c | 2 --
38
fs/reiserfs/xattr.c | 17 ++++-------------
39
2 files changed, 4 insertions(+), 15 deletions(-)
41
--- a/fs/reiserfs/dir.c
42
+++ b/fs/reiserfs/dir.c
43
@@ -45,8 +45,6 @@ static inline bool is_privroot_deh(struc
44
struct reiserfs_de_head *deh)
46
struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root;
47
- if (reiserfs_expose_privroot(dir->d_sb))
49
return (dir == dir->d_parent && privroot->d_inode &&
50
deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid);
52
--- a/fs/reiserfs/xattr.c
53
+++ b/fs/reiserfs/xattr.c
54
@@ -972,21 +972,13 @@ int reiserfs_permission(struct inode *in
55
return generic_permission(inode, mask, NULL);
58
-/* This will catch lookups from the fs root to .reiserfs_priv */
60
-xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name)
61
+static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd)
63
- struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root;
64
- if (container_of(q1, struct dentry, d_name) == priv_root)
66
- if (q1->len == name->len &&
67
- !memcmp(q1->name, name->name, name->len))
73
static const struct dentry_operations xattr_lookup_poison_ops = {
74
- .d_compare = xattr_lookup_poison,
75
+ .d_revalidate = xattr_hide_revalidate,
78
int reiserfs_lookup_privroot(struct super_block *s)
79
@@ -1000,8 +992,7 @@ int reiserfs_lookup_privroot(struct supe
80
strlen(PRIVROOT_NAME));
81
if (!IS_ERR(dentry)) {
82
REISERFS_SB(s)->priv_root = dentry;
83
- if (!reiserfs_expose_privroot(s))
84
- s->s_root->d_op = &xattr_lookup_poison_ops;
85
+ dentry->d_op = &xattr_lookup_poison_ops;
87
dentry->d_inode->i_flags |= S_PRIVATE;