commit a45ea48e2bcd92c1f678b794f488ca0bda9835b8 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

afs: Fix characters allowed into cell names

The afs filesystem needs to prohibit certain characters from cell names,
such as '/', as these are used to form filenames in procfs, leading to
the following warning being generated:

WARNING: CPU: 0 PID: 3489 at fs/proc/generic.c:178

Fix afs_alloc_cell() to disallow nonprintable characters, '/', '@' and
names that begin with a dot.

Remove the check for "@cell" as that is then redundant.

This can be tested by running:

echo add foo/.bar 1.2.3.4 >/proc/fs/afs/cells

Note that we will also need to deal with:

- Names ending in ".invalid" shouldn't be passed to the DNS.

- Names that contain non-valid domainname chars shouldn't be passed to
the DNS.

- DNS replies that say "your-dns-needs-immediate-attention.<gTLD>" and
replies containing A records that say 127.0.53.53 should be
considered invalid.
[https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf]

but these need to be dealt with by the kafs-client DNS program rather
than the kernel.

Reported-by: syzbot+b904ba7c947a37b4b291@syzkaller.appspotmail.com
Cc: stable@kernel.org
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by David Howells and committed by Linus Torvalds 6 years ago a45ea48e 2821e26f

options

unified split

Changed files

+10 -1

afs

cell.c

+10 -1

fs/afs/cell.c

··· 134 134 _leave(" = -ENAMETOOLONG"); 135 135 return ERR_PTR(-ENAMETOOLONG); 136 136 } 137 - if (namelen == 5 && memcmp(name, "@cell", 5) == 0) 137 + 138 + /* Prohibit cell names that contain unprintable chars, '/' and '@' or 139 + * that begin with a dot. This also precludes "@cell". 140 + */ 141 + if (name[0] == '.') 138 142 return ERR_PTR(-EINVAL); 143 + for (i = 0; i < namelen; i++) { 144 + char ch = name[i]; 145 + if (!isprint(ch) || ch == '/' || ch == '@') 146 + return ERR_PTR(-EINVAL); 147 + } 139 148 140 149 _enter("%*.*s,%s", namelen, namelen, name, addresses); 141 150