From patchwork Fri Mar 12 18:23:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1452337 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DxvMG0z1Pz9sVS; Sat, 13 Mar 2021 05:23:21 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lKmRS-0005My-RT; Fri, 12 Mar 2021 18:23:18 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lKmRP-0005MC-Fx for kernel-team@lists.ubuntu.com; Fri, 12 Mar 2021 18:23:15 +0000 Received: from mail-pj1-f69.google.com ([209.85.216.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lKmRP-0006MU-35 for kernel-team@lists.ubuntu.com; Fri, 12 Mar 2021 18:23:15 +0000 Received: by mail-pj1-f69.google.com with SMTP id dw22so673106pjb.6 for ; Fri, 12 Mar 2021 10:23:15 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=IA/QDpeFvnpkBz1+h4pTf9o4fgVx7yBPS7CBDvvj9pg=; b=opKRhsf4s1G4GpZNZR/s00woqZ/YCfkGQvO5nHau17W8hIVhzABxmo8jYNAmRswfvy BOghS7i3kE7bF/QiEFlHB6A8vaYo8W2kDoNRWLT+qVSwxte8vb7suDfCceKtGld8jJcT /V1/3UvOEHG0VzISu+cqGRaonG9cchCd+XMo/EXqiwV0MdEpJ/gZaPAj8kt+wOvqgLvl sH5aNeVmR8VLSZmTohOmwgWgvBRnPvjmFUciWE2fcZT7S/uMgAjoUMNAE8X8bYS185n5 zJBgaHnllXAU8CsnEr7h4ECVJattqOUyZhcYT6wqXo70kAzteG4r095W+N+8qC9mF3ua /UCQ== X-Gm-Message-State: AOAM532mTFPABoXstVpQfT5QPaPxIiRAn8h3cQQbLEqFEeCoKi9uLW0E POS5lI+/cjTt7i9Bq3Fb5VxTlo6E7FHFBFd4KTkgYszk0/Oio6LoA1fCVWMtzjoUkI1xLe8LtIy 1y7EF/xYmNACuumFfOwfBoqQzBVMUvuhg6JlijaHSHQ== X-Received: by 2002:a63:8c0b:: with SMTP id m11mr12831795pgd.306.1615573393462; Fri, 12 Mar 2021 10:23:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJyCoukYAqN6IjwHNXAwF4UYT4Fg//ONfT1VqYEPzhuYo5E8t7hf6+lk6VKEIfXVuj5uYZR1Yw== X-Received: by 2002:a63:8c0b:: with SMTP id m11mr12831785pgd.306.1615573393307; Fri, 12 Mar 2021 10:23:13 -0800 (PST) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id n126sm5726344pgn.66.2021.03.12.10.23.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Mar 2021 10:23:12 -0800 (PST) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH] nfsd4: readdirplus shouldn't return parent of export Date: Fri, 12 Mar 2021 11:23:09 -0700 Message-Id: <20210312182309.12421-2-tim.gardner@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210312182309.12421-1-tim.gardner@canonical.com> References: <20210312182309.12421-1-tim.gardner@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "J. Bruce Fields" CVE-2021-3178 If you export a subdirectory of a filesystem, a READDIRPLUS on the root of that export will return the filehandle of the parent with the ".." entry. The filehandle is optional, so let's just not return the filehandle for ".." if we're at the root of an export. Note that once the client learns one filehandle outside of the export, they can trivially access the rest of the export using further lookups. However, it is also not very difficult to guess filehandles outside of the export. So exporting a subdirectory of a filesystem should considered equivalent to providing access to the entire filesystem. To avoid confusion, we recommend only exporting entire filesystems. Reported-by: Youjipeng Signed-off-by: J. Bruce Fields Cc: stable@vger.kernel.org Signed-off-by: Chuck Lever (cherry picked from commit 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6) Signed-off-by: Tim Gardner Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza --- fs/nfsd/nfs3xdr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c index aae514d40b64..1a9e177be158 100644 --- a/fs/nfsd/nfs3xdr.c +++ b/fs/nfsd/nfs3xdr.c @@ -849,9 +849,14 @@ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp, if (isdotent(name, namlen)) { if (namlen == 2) { dchild = dget_parent(dparent); - /* filesystem root - cannot return filehandle for ".." */ + /* + * Don't return filehandle for ".." if we're at + * the filesystem or export root: + */ if (dchild == dparent) goto out; + if (dparent == exp->ex_path.dentry) + goto out; } else dchild = dget(dparent); } else