From: Dave Chinner <david@fromorbit.com>
To: Jann Horn <jannh@google.com>
Cc: Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
Matt Turner <mattst88@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
Theodore Ts'o <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
linux-alpha@vger.kernel.org, linux-kernel@vger.kernel.org,
Pavel Machek <pavel@ucw.cz>
Subject: Re: [PATCH v3 1/2] fs: don't let getdents return bogus names
Date: Tue, 15 Jan 2019 11:00:46 +1100 [thread overview]
Message-ID: <20190115000046.GR27534@dastard> (raw)
In-Reply-To: <20190114182318.110443-1-jannh@google.com>
On Mon, Jan 14, 2019 at 07:23:17PM +0100, Jann Horn wrote:
> When you e.g. run `find` on a directory for which getdents returns
> "filenames" that contain slashes, `find` passes those "filenames" back to
> the kernel, which then interprets them as paths. That could conceivably
> cause userspace to do something bad when accessing something like an
> untrusted USB stick, but I'm not aware of any specific example.
>
> Instead of returning bogus filenames to userspace, return -EUCLEAN.
Please don't use EUCLEAN directly to indicate filesystem corruption
directly. If we want to indicate that the filesystem is corrupted,
please hoist the multiple XFS/ext4 definitions of:
#define EFSCORRUPTED EUCLEAN
up into include/uapi/asm-generic/errno.h and then use EFSCORRUPTED
in all the places where we want to indicate to userspace that the
filesystem is corrupted. That tells both the code reader and the
userspace developers that it's a corruption error and puts context
to the "structure needs cleaning" text that goes along with it...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2019-01-15 0:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 18:23 [PATCH v3 1/2] fs: don't let getdents return bogus names Jann Horn
2019-01-14 18:23 ` [PATCH v3 2/2] fs: let filldir_t return bool instead of an error code Jann Horn
2019-01-15 0:00 ` Dave Chinner [this message]
2019-01-18 16:22 ` [PATCH v3 1/2] fs: don't let getdents return bogus names Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190115000046.GR27534@dastard \
--to=david@fromorbit.com \
--cc=adilger.kernel@dilger.ca \
--cc=ebiederm@xmission.com \
--cc=ink@jurassic.park.msu.ru \
--cc=jannh@google.com \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=pavel@ucw.cz \
--cc=rth@twiddle.net \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).