[PATCH] NULL pointer dereference in ecryptfs (ecryptfs_setxattr)

[PATCH] NULL pointer dereference in ecryptfs (ecryptfs_setxattr)

[Priya Bansal]

This patch fixes the issue which was found in
 ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
 is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
 crashes. the reason being the function fsstack_copy_attr_all was trying to
 access dentry->d_inode which was null hence the kernel crashes with NULL
 pointer dereference. Now a check has been applied which prevents such
 condition.

From 74856445756aba18f98aa5b98ad46e7d98f54737 Mon Sep 17 00:00:00 2001
From: Priya Bansal <p.bansal@samsung.com>
Date: Fri, 29 Aug 2014 10:27:27 +0530
Subject: [PATCH] Fix in ecryptfs_setxattr for NULL check before calling
 fsstack_copy_attr_all. This patch fixes the issue which was found in
 ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
 is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
 crashes. the reason being the function fsstack_copy_attr_all was trying to
 access dentry->d_inode which was null hence the kernel crashes with NULL
 pointer dereference. Now a check has been applied which prevents such
 condition.
Signed-off-by: Priya Bansal <p.bansal@samsung.com>
---
 linux-3.16.1/fs/ecryptfs/inode.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/linux-3.16.1/fs/ecryptfs/inode.c b/linux-3.16.1/fs/ecryptfs/inode.c
index d4a9431..7da03e5 100644
--- a/linux-3.16.1/fs/ecryptfs/inode.c
+++ b/linux-3.16.1/fs/ecryptfs/inode.c
@@ -1031,6 +1031,8 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
 {
  int rc = 0;
  struct dentry *lower_dentry;
+ struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
+  &ecryptfs_superblock_to_private(dentry->d_sb)->mount_crypt_stat;
 
  lower_dentry = ecryptfs_dentry_to_lower(dentry);
  if (!lower_dentry->d_inode->i_op->setxattr) {
@@ -1039,8 +1041,20 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
  }
 
  rc = vfs_setxattr(lower_dentry, name, value, size, flags);
- if (!rc)
-  fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
+ if (!rc) {
+  if (dentry->d_inode == NULL) {
+   if (mount_crypt_stat->flags
+     & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
+    rc = -EPERM;
+   else if (mount_crypt_stat->flags
+     & ECRYPTFS_XATTR_METADATA_ENABLED)
+    goto out;
+  } else {
+   fsstack_copy_attr_all(dentry->d_inode,
+     lower_dentry->d_inode);
+  }
+ }
+
 out:
  return rc;
 }
-- 
1.8.3.2

If you need any other details regarding this contribution, please contact me.  

Thanks & Regards 
Priya Bansal. 
E-mail: p.bansal@samsung.com

[PATCH] NULL pointer dereference in ecryptfs (ecryptfs_setxattr)

[Priya Bansal]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=windows-1252, Size: 2747 bytes --]

This patch fixes the issue which was found in
 ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
 is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
 crashes. the reason being the function fsstack_copy_attr_all was trying to
 access dentry->d_inode which was null hence the kernel crashes with NULL
 pointer dereference. Now a check has been applied which prevents such
 condition.

>From 74856445756aba18f98aa5b98ad46e7d98f54737 Mon Sep 17 00:00:00 2001
From: Priya Bansal <p.bansal@samsung.com>
Date: Fri, 29 Aug 2014 10:27:27 +0530
Subject: [PATCH] Fix in ecryptfs_setxattr for NULL check before calling
 fsstack_copy_attr_all. This patch fixes the issue which was found in
 ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
 is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
 crashes. the reason being the function fsstack_copy_attr_all was trying to
 access dentry->d_inode which was null hence the kernel crashes with NULL
 pointer dereference. Now a check has been applied which prevents such
 condition.
Signed-off-by: Priya Bansal <p.bansal@samsung.com>
---
 linux-3.16.1/fs/ecryptfs/inode.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/linux-3.16.1/fs/ecryptfs/inode.c b/linux-3.16.1/fs/ecryptfs/inode.c
index d4a9431..7da03e5 100644
--- a/linux-3.16.1/fs/ecryptfs/inode.c
+++ b/linux-3.16.1/fs/ecryptfs/inode.c
@@ -1031,6 +1031,8 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
 {
  int rc = 0;
  struct dentry *lower_dentry;
+ struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
+  &ecryptfs_superblock_to_private(dentry->d_sb)->mount_crypt_stat;
 
  lower_dentry = ecryptfs_dentry_to_lower(dentry);
  if (!lower_dentry->d_inode->i_op->setxattr) {
@@ -1039,8 +1041,20 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
  }
 
  rc = vfs_setxattr(lower_dentry, name, value, size, flags);
- if (!rc)
-  fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
+ if (!rc) {
+  if (dentry->d_inode == NULL) {
+   if (mount_crypt_stat->flags
+     & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
+    rc = -EPERM;
+   else if (mount_crypt_stat->flags
+     & ECRYPTFS_XATTR_METADATA_ENABLED)
+    goto out;
+  } else {
+   fsstack_copy_attr_all(dentry->d_inode,
+     lower_dentry->d_inode);
+  }
+ }
+
 out:
  return rc;
 }
-- 
1.8.3.2

If you need any other details regarding this contribution, please contact me.  

Thanks & Regards 
Priya Bansal. 
E-mail: p.bansal@samsung.com
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

Re: [PATCH] NULL pointer dereference in ecryptfs (ecryptfs_setxattr)

[Tyler Hicks]

[-- Attachment #1: Type: text/plain, Size: 3476 bytes --]

Hi Priya - Thanks for the report and patch. I have some inline comments.

On 2014-09-24 06:58:01, Priya Bansal wrote:
> This patch fixes the issue which was found in
>  ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
>  is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
>  crashes. the reason being the function fsstack_copy_attr_all was trying to
>  access dentry->d_inode which was null hence the kernel crashes with NULL
>  pointer dereference. Now a check has been applied which prevents such
>  condition.
> 
> From 74856445756aba18f98aa5b98ad46e7d98f54737 Mon Sep 17 00:00:00 2001
> From: Priya Bansal <p.bansal@samsung.com>
> Date: Fri, 29 Aug 2014 10:27:27 +0530
> Subject: [PATCH] Fix in ecryptfs_setxattr for NULL check before calling
>  fsstack_copy_attr_all. This patch fixes the issue which was found in
>  ecryptfs_setxattr(). Previously, while trying to create a file when ecryptfs
>  is mounted over ext4 filesystem  with  encrypted view enabled, the kernel
>  crashes. the reason being the function fsstack_copy_attr_all was trying to
>  access dentry->d_inode which was null hence the kernel crashes with NULL
>  pointer dereference. Now a check has been applied which prevents such
>  condition.
> Signed-off-by: Priya Bansal <p.bansal@samsung.com>

This commit message is poorly formatted. Have a look at the
"15) The canonical patch format" section of the
Documentation/SubmittingPatches file. It gives a nice description of how
the commit message should be formatted.

> ---
>  linux-3.16.1/fs/ecryptfs/inode.c | 18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)
> diff --git a/linux-3.16.1/fs/ecryptfs/inode.c b/linux-3.16.1/fs/ecryptfs/inode.c
> index d4a9431..7da03e5 100644
> --- a/linux-3.16.1/fs/ecryptfs/inode.c
> +++ b/linux-3.16.1/fs/ecryptfs/inode.c
> @@ -1031,6 +1031,8 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
>  {
>   int rc = 0;
>   struct dentry *lower_dentry;
> + struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
> +  &ecryptfs_superblock_to_private(dentry->d_sb)->mount_crypt_stat;
>  
>   lower_dentry = ecryptfs_dentry_to_lower(dentry);
>   if (!lower_dentry->d_inode->i_op->setxattr) {
> @@ -1039,8 +1041,20 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
>   }
>  
>   rc = vfs_setxattr(lower_dentry, name, value, size, flags);
> - if (!rc)
> -  fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
> + if (!rc) {
> +  if (dentry->d_inode == NULL) {
> +   if (mount_crypt_stat->flags
> +     & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
> +    rc = -EPERM;
> +   else if (mount_crypt_stat->flags
> +     & ECRYPTFS_XATTR_METADATA_ENABLED)
> +    goto out;
> +  } else {
> +   fsstack_copy_attr_all(dentry->d_inode,
> +     lower_dentry->d_inode);
> +  }
> + }
> +
>  out:
>   return rc;
>  }
> -- 

I don't think this is the proper fix. It fixes the NULL pointer
dereference but ecryptfs_setxattr() shouldn't be reachable in encrypted
view mounts. There's a feeble attempt to prevent the modification of
files in ecryptfs_open() when encrypted view is in use but I think we
should force the MS_RDONLY flag on the superblock when the
ecryptfs_encrypted_view mount option is specified.

I'll follow this email up with a patch. I'd appreciate any review and/or
testing you can provide. Thanks!

Tyler

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[PATCH] eCryptfs: Force RO mount when encrypted view is enabled

[Tyler Hicks]

The ecryptfs_encrypted_view mount option greatly changes the
functionality of an eCryptfs mount. Instead of encrypting and decrypting
lower files, it provides a unified view of the encrypted files in the
lower filesystem. The presence of the ecryptfs_encrypted_view mount
option is intended to force a read-only mount and modifying files is not
supported when the feature is in use. See the following commit for more
information:

  e77a56d [PATCH] eCryptfs: Encrypted passthrough

This patch forces the mount to be read-only when the
ecryptfs_encrypted_view mount option is specified by setting the
MS_RDONLY flag on the superblock. Additionally, this patch removes some
broken logic in ecryptfs_open() that attempted to prevent modifications
of files when the encrypted view feature was in use. The check in
ecryptfs_open() was not sufficient to prevent file modifications using
system calls that do not operate on a file descriptor.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Priya Bansal <p.bansal@samsung.com>
---
 fs/ecryptfs/file.c | 12 ------------
 fs/ecryptfs/main.c | 16 +++++++++++++---
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
index b4b6ab9..e466640 100644
--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
@@ -190,23 +190,11 @@ static int ecryptfs_open(struct inode *inode, struct file *file)
 {
 	int rc = 0;
 	struct ecryptfs_crypt_stat *crypt_stat = NULL;
-	struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
 	struct dentry *ecryptfs_dentry = file->f_path.dentry;
 	/* Private value of ecryptfs_dentry allocated in
 	 * ecryptfs_lookup() */
 	struct ecryptfs_file_info *file_info;
 
-	mount_crypt_stat = &ecryptfs_superblock_to_private(
-		ecryptfs_dentry->d_sb)->mount_crypt_stat;
-	if ((mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
-	    && ((file->f_flags & O_WRONLY) || (file->f_flags & O_RDWR)
-		|| (file->f_flags & O_CREAT) || (file->f_flags & O_TRUNC)
-		|| (file->f_flags & O_APPEND))) {
-		printk(KERN_WARNING "Mount has encrypted view enabled; "
-		       "files may only be read\n");
-		rc = -EPERM;
-		goto out;
-	}
 	/* Released in ecryptfs_release or end of function if failure */
 	file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL);
 	ecryptfs_set_file_private(file, file_info);
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index 1b119d3..34eb843 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -493,6 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
 {
 	struct super_block *s;
 	struct ecryptfs_sb_info *sbi;
+	struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
 	struct ecryptfs_dentry_info *root_info;
 	const char *err = "Getting sb failed";
 	struct inode *inode;
@@ -511,6 +512,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
 		err = "Error parsing options";
 		goto out;
 	}
+	mount_crypt_stat = &sbi->mount_crypt_stat;
 
 	s = sget(fs_type, NULL, set_anon_super, flags, NULL);
 	if (IS_ERR(s)) {
@@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
 
 	/**
 	 * Set the POSIX ACL flag based on whether they're enabled in the lower
-	 * mount. Force a read-only eCryptfs mount if the lower mount is ro.
-	 * Allow a ro eCryptfs mount even when the lower mount is rw.
+	 * mount.
 	 */
 	s->s_flags = flags & ~MS_POSIXACL;
-	s->s_flags |= path.dentry->d_sb->s_flags & (MS_RDONLY | MS_POSIXACL);
+	s->s_flags |= path.dentry->d_sb->s_flags & MS_POSIXACL;
+
+	/**
+	 * Force a read-only eCryptfs mount when:
+	 *   1) The lower mount is ro
+	 *   2) The ecryptfs_encrypted_view mount option is specified
+	 */
+	if (path.dentry->d_sb->s_flags & MS_RDONLY ||
+	    mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
+		s->s_flags |= MS_RDONLY;
 
 	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
 	s->s_blocksize = path.dentry->d_sb->s_blocksize;
-- 
2.1.0