commit aca0fa34bdaba39bfddddba8ca70dba4782e8fe6

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

jfs: don't allow os2 xattr namespace overlap with others

It's currently possible to bypass xattr namespace access rules by
prefixing valid xattr names with "os2.", since the os2 namespace stores
extended attributes in a legacy format with no prefix.

This patch adds checking to deny access to any valid namespace prefix
following "os2.".

Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Reported-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Dave Kleikamp and committed by

Linus Torvalds 15 years ago aca0fa34 2f9e825d

+38 -49

1 changed file

expand all

unified split

jfs

xattr.c

+38 -49

fs/jfs/xattr.c

··· 86 #define EA_MALLOC 0x0008 87 88 89 /* 90 * These three routines are used to recognize on-disk extended attributes 91 * that are in a recognized namespace. If the attribute is not recognized, 92 * "os2." is prepended to the name 93 */ 94 - static inline int is_os2_xattr(struct jfs_ea *ea) 95 { 96 - /* 97 - * Check for "system." 98 - */ 99 - if ((ea->namelen >= XATTR_SYSTEM_PREFIX_LEN) && 100 - !strncmp(ea->name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 101 - return false; 102 - /* 103 - * Check for "user." 104 - */ 105 - if ((ea->namelen >= XATTR_USER_PREFIX_LEN) && 106 - !strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) 107 - return false; 108 - /* 109 - * Check for "security." 110 - */ 111 - if ((ea->namelen >= XATTR_SECURITY_PREFIX_LEN) && 112 - !strncmp(ea->name, XATTR_SECURITY_PREFIX, 113 - XATTR_SECURITY_PREFIX_LEN)) 114 - return false; 115 - /* 116 - * Check for "trusted." 117 - */ 118 - if ((ea->namelen >= XATTR_TRUSTED_PREFIX_LEN) && 119 - !strncmp(ea->name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) 120 - return false; 121 - /* 122 - * Add any other valid namespace prefixes here 123 - */ 124 - 125 - /* 126 - * We assume it's OS/2's flat namespace 127 - */ 128 - return true; 129 } 130 131 static inline int name_size(struct jfs_ea *ea) ··· 743 if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 744 return can_set_system_xattr(inode, name, value, value_len); 745 746 /* 747 * Don't allow setting an attribute in an unknown namespace. 748 */ 749 if (strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) && 750 strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) && 751 - strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && 752 - strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)) 753 return -EOPNOTSUPP; 754 755 return 0; ··· 941 int xattr_size; 942 ssize_t size; 943 int namelen = strlen(name); 944 - char *os2name = NULL; 945 char *value; 946 - 947 - if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) { 948 - os2name = kmalloc(namelen - XATTR_OS2_PREFIX_LEN + 1, 949 - GFP_KERNEL); 950 - if (!os2name) 951 - return -ENOMEM; 952 - strcpy(os2name, name + XATTR_OS2_PREFIX_LEN); 953 - name = os2name; 954 - namelen -= XATTR_OS2_PREFIX_LEN; 955 - } 956 957 down_read(&JFS_IP(inode)->xattr_sem); 958 ··· 980 out: 981 up_read(&JFS_IP(inode)->xattr_sem); 982 983 - kfree(os2name); 984 - 985 return size; 986 } 987 ··· 987 size_t buf_size) 988 { 989 int err; 990 991 err = __jfs_getxattr(dentry->d_inode, name, data, buf_size); 992

··· 86 #define EA_MALLOC 0x0008 87 88 89 + static int is_known_namespace(const char *name) 90 + { 91 + if (strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) && 92 + strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) && 93 + strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) && 94 + strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) 95 + return false; 96 + 97 + return true; 98 + } 99 + 100 /* 101 * These three routines are used to recognize on-disk extended attributes 102 * that are in a recognized namespace. If the attribute is not recognized, 103 * "os2." is prepended to the name 104 */ 105 + static int is_os2_xattr(struct jfs_ea *ea) 106 { 107 + return !is_known_namespace(ea->name); 108 } 109 110 static inline int name_size(struct jfs_ea *ea) ··· 764 if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN)) 765 return can_set_system_xattr(inode, name, value, value_len); 766 767 + if (!strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)) { 768 + /* 769 + * This makes sure that we aren't trying to set an 770 + * attribute in a different namespace by prefixing it 771 + * with "os2." 772 + */ 773 + if (is_known_namespace(name + XATTR_OS2_PREFIX_LEN)) 774 + return -EOPNOTSUPP; 775 + return 0; 776 + } 777 + 778 /* 779 * Don't allow setting an attribute in an unknown namespace. 780 */ 781 if (strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) && 782 strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) && 783 + strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) 784 return -EOPNOTSUPP; 785 786 return 0; ··· 952 int xattr_size; 953 ssize_t size; 954 int namelen = strlen(name); 955 char *value; 956 957 down_read(&JFS_IP(inode)->xattr_sem); 958 ··· 1002 out: 1003 up_read(&JFS_IP(inode)->xattr_sem); 1004 1005 return size; 1006 } 1007 ··· 1011 size_t buf_size) 1012 { 1013 int err; 1014 + 1015 + if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) { 1016 + /* 1017 + * skip past "os2." prefix 1018 + */ 1019 + name += XATTR_OS2_PREFIX_LEN; 1020 + /* 1021 + * Don't allow retrieving properly prefixed attributes 1022 + * by prepending them with "os2." 1023 + */ 1024 + if (is_known_namespace(name)) 1025 + return -EOPNOTSUPP; 1026 + } 1027 1028 err = __jfs_getxattr(dentry->d_inode, name, data, buf_size); 1029