diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2025-01-03 09:20:35 +0300 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2025-01-28 03:25:24 +0300 |
| commit | 19e1dbdc6b9e9b069bef94c6856364781338eb76 (patch) | |
| tree | 6591ea74b1a9aa03a27681ed1d7e9d27726a1d05 | |
| parent | 464361133e6af521d1307ed89a54c4c181162c91 (diff) | |
| download | linux-19e1dbdc6b9e9b069bef94c6856364781338eb76.tar.xz | |
fuse_dentry_revalidate(): use stable parent inode and name passed by caller
No need to mess with dget_parent() for the former; for the latter we really should
not rely upon ->d_name.name remaining stable - it's a real-life UAF.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| -rw-r--r-- | fs/fuse/dir.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index d9e9f26917eb..3019bc1d9f9d 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -175,9 +175,11 @@ static void fuse_lookup_init(struct fuse_conn *fc, struct fuse_args *args, memset(outarg, 0, sizeof(struct fuse_entry_out)); args->opcode = FUSE_LOOKUP; args->nodeid = nodeid; - args->in_numargs = 1; - args->in_args[0].size = name->len + 1; + args->in_numargs = 2; + args->in_args[0].size = name->len; args->in_args[0].value = name->name; + args->in_args[1].size = 1; + args->in_args[1].value = ""; args->out_numargs = 1; args->out_args[0].size = sizeof(struct fuse_entry_out); args->out_args[0].value = outarg; @@ -196,7 +198,6 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name, struct dentry *entry, unsigned int flags) { struct inode *inode; - struct dentry *parent; struct fuse_mount *fm; struct fuse_inode *fi; int ret; @@ -228,11 +229,9 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name, attr_version = fuse_get_attr_version(fm->fc); - parent = dget_parent(entry); - fuse_lookup_init(fm->fc, &args, get_node_id(d_inode(parent)), - &entry->d_name, &outarg); + fuse_lookup_init(fm->fc, &args, get_node_id(dir), + name, &outarg); ret = fuse_simple_request(fm, &args); - dput(parent); /* Zero nodeid is same as -ENOENT */ if (!ret && !outarg.nodeid) ret = -ENOENT; @@ -266,9 +265,7 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name, if (test_bit(FUSE_I_INIT_RDPLUS, &fi->state)) return -ECHILD; } else if (test_and_clear_bit(FUSE_I_INIT_RDPLUS, &fi->state)) { - parent = dget_parent(entry); - fuse_advise_use_readdirplus(d_inode(parent)); - dput(parent); + fuse_advise_use_readdirplus(dir); } } ret = 1; |