From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Subject: [44/54] jfs: dont allow os2 xattr namespace overlap with others
Date: Wed, 11 Aug 2010 17:00:59 -0700 [thread overview]
Message-ID: <20100812000127.330085844@clark.site> (raw)
In-Reply-To: <20100812000249.GA30948@kroah.com>
2.6.34-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
commit aca0fa34bdaba39bfddddba8ca70dba4782e8fe6 upstream.
It's currently possible to bypass xattr namespace access rules by
prefixing valid xattr names with "os2.", since the os2 namespace stores
extended attributes in a legacy format with no prefix.
This patch adds checking to deny access to any valid namespace prefix
following "os2.".
Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Reported-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/jfs/xattr.c | 87 ++++++++++++++++++++++++---------------------------------
1 file changed, 38 insertions(+), 49 deletions(-)
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -86,46 +86,25 @@ struct ea_buffer {
#define EA_MALLOC 0x0008
+static int is_known_namespace(const char *name)
+{
+ if (strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) &&
+ strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
+ strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
+ strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
+ return false;
+
+ return true;
+}
+
/*
* These three routines are used to recognize on-disk extended attributes
* that are in a recognized namespace. If the attribute is not recognized,
* "os2." is prepended to the name
*/
-static inline int is_os2_xattr(struct jfs_ea *ea)
+static int is_os2_xattr(struct jfs_ea *ea)
{
- /*
- * Check for "system."
- */
- if ((ea->namelen >= XATTR_SYSTEM_PREFIX_LEN) &&
- !strncmp(ea->name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
- return false;
- /*
- * Check for "user."
- */
- if ((ea->namelen >= XATTR_USER_PREFIX_LEN) &&
- !strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
- return false;
- /*
- * Check for "security."
- */
- if ((ea->namelen >= XATTR_SECURITY_PREFIX_LEN) &&
- !strncmp(ea->name, XATTR_SECURITY_PREFIX,
- XATTR_SECURITY_PREFIX_LEN))
- return false;
- /*
- * Check for "trusted."
- */
- if ((ea->namelen >= XATTR_TRUSTED_PREFIX_LEN) &&
- !strncmp(ea->name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
- return false;
- /*
- * Add any other valid namespace prefixes here
- */
-
- /*
- * We assume it's OS/2's flat namespace
- */
- return true;
+ return !is_known_namespace(ea->name);
}
static inline int name_size(struct jfs_ea *ea)
@@ -764,13 +743,23 @@ static int can_set_xattr(struct inode *i
if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
return can_set_system_xattr(inode, name, value, value_len);
+ if (!strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)) {
+ /*
+ * This makes sure that we aren't trying to set an
+ * attribute in a different namespace by prefixing it
+ * with "os2."
+ */
+ if (is_known_namespace(name + XATTR_OS2_PREFIX_LEN))
+ return -EOPNOTSUPP;
+ return 0;
+ }
+
/*
* Don't allow setting an attribute in an unknown namespace.
*/
if (strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) &&
strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
- strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
- strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN))
+ strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
return -EOPNOTSUPP;
return 0;
@@ -952,19 +941,8 @@ ssize_t __jfs_getxattr(struct inode *ino
int xattr_size;
ssize_t size;
int namelen = strlen(name);
- char *os2name = NULL;
char *value;
- if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
- os2name = kmalloc(namelen - XATTR_OS2_PREFIX_LEN + 1,
- GFP_KERNEL);
- if (!os2name)
- return -ENOMEM;
- strcpy(os2name, name + XATTR_OS2_PREFIX_LEN);
- name = os2name;
- namelen -= XATTR_OS2_PREFIX_LEN;
- }
-
down_read(&JFS_IP(inode)->xattr_sem);
xattr_size = ea_get(inode, &ea_buf, 0);
@@ -1002,8 +980,6 @@ ssize_t __jfs_getxattr(struct inode *ino
out:
up_read(&JFS_IP(inode)->xattr_sem);
- kfree(os2name);
-
return size;
}
@@ -1012,6 +988,19 @@ ssize_t jfs_getxattr(struct dentry *dent
{
int err;
+ if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
+ /*
+ * skip past "os2." prefix
+ */
+ name += XATTR_OS2_PREFIX_LEN;
+ /*
+ * Don't allow retrieving properly prefixed attributes
+ * by prepending them with "os2."
+ */
+ if (is_known_namespace(name))
+ return -EOPNOTSUPP;
+ }
+
err = __jfs_getxattr(dentry->d_inode, name, data, buf_size);
return err;
next prev parent reply other threads:[~2010-08-12 0:22 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-12 0:02 [00/54] 2.6.34.4 -stable review Greg KH
2010-08-12 0:00 ` [01/54] x86, vmware: Preset lpj values when on VMware Greg KH
2010-08-14 12:22 ` Sven Joachim
2010-08-14 16:21 ` Alok Kataria
2010-08-12 0:00 ` [02/54] ata_piix: fix locking around SIDPR access Greg KH
2010-08-12 0:00 ` [03/54] powerpc: fix build with make 3.82 Greg KH
2010-08-12 0:00 ` [04/54] x86, kmmio/mmiotrace: Fix double free of kmmio_fault_pages Greg KH
2010-08-12 0:00 ` [05/54] x86/PCI: use host bridge _CRS info on ASRock ALiveSATA2-GLAN Greg KH
2010-08-12 0:00 ` [06/54] x86: Add memory modify constraints to xchg() and cmpxchg() Greg KH
2010-08-12 0:00 ` [07/54] staging: rt2870: Add USB ID for Belkin F6D4050 v2 Greg KH
2010-08-12 0:00 ` [08/54] Staging: line6: needs to select SND_PCM Greg KH
2010-08-12 0:00 ` [09/54] Staging: panel: Prevent double-calling of parport_release - fix oops Greg KH
2010-08-12 0:00 ` [10/54] PCI: Do not run NVidia quirks related to MSI with MSI disabled Greg KH
2010-08-12 0:00 ` [11/54] PCI: disable MSI on VIA K8M800 Greg KH
2010-08-12 0:00 ` [12/54] solos-pci: Fix race condition in tasklet RX handling Greg KH
2010-08-12 0:00 ` [13/54] splice: fix misuse of SPLICE_F_NONBLOCK Greg KH
2010-08-12 0:00 ` [14/54] Char: nozomi, fix tty->count counting Greg KH
2010-08-12 0:00 ` [15/54] Char: nozomi, set tty->driver_data appropriately Greg KH
2010-08-12 0:00 ` [16/54] mm: fix corruption of hibernation caused by reusing swap during image saving Greg KH
2010-08-12 0:00 ` [17/54] drivers/video/w100fb.c: ignore void return value / fix build failure Greg KH
2010-08-12 0:00 ` [18/54] iwlwifi: fix TX tracer Greg KH
2010-08-12 0:00 ` [19/54] ide-cd: Do not access completed requests in the irq handler Greg KH
2010-08-12 0:00 ` [20/54] md/raid10: fix deadlock with unaligned read during resync Greg KH
2010-08-12 0:00 ` [21/54] blkdev: cgroup whitelist permission fix Greg KH
2010-08-12 0:00 ` [22/54] eCryptfs: Handle ioctl calls with unlocked and compat functions Greg KH
2010-08-12 0:00 ` [23/54] ecryptfs: release reference to lower mount if interpose fails Greg KH
2010-08-12 0:00 ` [24/54] fs/ecryptfs/file.c: introduce missing free Greg KH
2010-08-12 0:00 ` [25/54] [ARM] pxa/cm-x300: fix ffuart registration Greg KH
2010-08-12 0:00 ` [26/54] signalfd: fill in ssi_int for posix timers and message queues Greg KH
2010-08-12 0:00 ` [27/54] bio, fs: update RWA_MASK, READA and SWRITE to match the corresponding BIO_RW_* bits Greg KH
2010-08-12 0:00 ` [28/54] smsc911x: Add spinlocks around registers access Greg KH
2010-08-12 0:00 ` [29/54] ARM: 6299/1: errata: TLBIASIDIS and TLBIMVAIS operations can broadcast a faulty ASID Greg KH
2010-08-12 0:00 ` [30/54] ARM: 6280/1: imx: Fix build failure when including <mach/gpio.h> without <linux/spinlock.h> Greg KH
2010-08-12 0:00 ` [31/54] USB: EHCI: remove PCI assumption Greg KH
2010-08-12 0:00 ` [32/54] USB: resizing usbmon binary interface buffer causes protection faults Greg KH
2010-08-12 0:00 ` [33/54] USB delay init quirk for logitech Harmony 700-series devices Greg KH
2010-08-12 0:00 ` [34/54] USB: serial: enabling support for Segway RMP in ftdi_sio Greg KH
2010-08-12 0:00 ` [35/54] USB: option: Huawei ETS 1220 support added Greg KH
2010-08-12 0:00 ` [36/54] USB: option: add huawei k3765 k4505 devices to work properly Greg KH
2010-08-12 0:00 ` [37/54] USB: ftdi_sio: device id for Navitator Greg KH
2010-08-12 0:00 ` [38/54] USB: cp210x: Add four new device IDs Greg KH
2010-08-12 0:00 ` [39/54] USB: usbtest: avoid to free coherent buffer in atomic context Greg KH
2010-08-12 0:00 ` [40/54] USB: fix thread-unsafe anchor utiliy routines Greg KH
2010-08-12 0:00 ` [41/54] drm/edid: Fix the HDTV hack sync adjustment Greg KH
2010-08-12 0:00 ` [42/54] Bluetooth: Added support for controller shipped with iMac i5 Greg KH
2010-08-12 0:00 ` [43/54] mtd: gen_nand: fix support for multiple chips Greg KH
2010-08-12 0:00 ` Greg KH [this message]
2010-08-12 0:01 ` [45/54] arp_notify: allow drivers to explicitly request a notification event Greg KH
2010-08-12 0:01 ` [46/54] xen: netfront: explicitly generate arp_notify event after migration Greg KH
2010-08-12 0:01 ` [47/54] net: Fix NETDEV_NOTIFY_PEERS to not conflict with NETDEV_BONDING_DESLAVE Greg KH
2010-08-12 0:01 ` [48/54] irq: Add new IRQ flag IRQF_NO_SUSPEND Greg KH
2010-08-12 0:01 ` [49/54] xen: Do not suspend IPI IRQs Greg KH
2010-08-12 0:01 ` [50/54] drm/i915: Use RSEN instead of HTPLG for tfp410 monitor detection Greg KH
2010-08-12 0:01 ` [51/54] i915: fix ironlake edp panel setup (v4) Greg KH
2010-08-12 0:01 ` [52/54] [SCSI] ibmvfc: Fix command completion handling Greg KH
2010-08-12 0:01 ` [53/54] [SCSI] ibmvfc: Reduce error recovery timeout Greg KH
2010-08-12 0:01 ` [54/54] md/raid1: delay reads that could overtake behind-writes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100812000127.330085844@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=shaggy@linux.vnet.ibm.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).