Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ext4: Fix insufficient checks in EXT4_IOC_MOVE_EXT

This patch fixes three problems in the handling of the
EXT4_IOC_MOVE_EXT ioctl:

1. In current EXT4_IOC_MOVE_EXT, there are read access mode checks for
original and donor files, but they allow the illegal write access to
donor file, since donor file is overwritten by original file data.  To
fix this problem, change access mode checks of original (r->r/w) and
donor (r->w) files.

2.  Disallow the use of donor files that have a setuid or setgid bits.

3.  Call mnt_want_write() and mnt_drop_write() before and after
ext4_move_extents() calling to get write access to a mount.

Signed-off-by: Akira Fujita <a-fujita@rs.jp.nec.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Akira Fujita 15 years ago
parent
b436b9bef8
commit
4a58579b9e
2 changed files with 25 additions and 12 deletions
Unified View Show Diff Stats
  1. 18 12
      fs/ext4/ioctl.c
  2. 7 0
      fs/ext4/move_extent.c

+ 18 - 12
fs/ext4/ioctl.c
View File 

@@ -221,32 +221,38 @@ setversion_out:
 
 		struct file *donor_filp;
 
 		struct file *donor_filp;
 
 		int err;
 
 		int err;
 
 
 
+		if (!(filp->f_mode & FMODE_READ) ||
 
+		    !(filp->f_mode & FMODE_WRITE))
 
+			return -EBADF;
 
+
 
 		if (copy_from_user(&me,
 
 		if (copy_from_user(&me,
 
 			(struct move_extent __user *)arg, sizeof(me)))
 
 			(struct move_extent __user *)arg, sizeof(me)))
 
 			return -EFAULT;
 
 			return -EFAULT;
 
+		me.moved_len = 0;
 
 
 
 		donor_filp = fget(me.donor_fd);
 
 		donor_filp = fget(me.donor_fd);
 
 		if (!donor_filp)
 
 		if (!donor_filp)
 
 			return -EBADF;
 
 			return -EBADF;
 
 
 
-		if (!capable(CAP_DAC_OVERRIDE)) {
 
-			if ((current->real_cred->fsuid != inode->i_uid) ||
 
-				!(inode->i_mode & S_IRUSR) ||
 
-				!(donor_filp->f_dentry->d_inode->i_mode &
 
-				S_IRUSR)) {
 
-				fput(donor_filp);
 
-				return -EACCES;
 
-			}
 
+		if (!(donor_filp->f_mode & FMODE_WRITE)) {
 
+			err = -EBADF;
 
+			goto mext_out;
 
 		}
 
 		}
 
 
 
-		me.moved_len = 0;
 
+		err = mnt_want_write(filp->f_path.mnt);
 
+		if (err)
 
+			goto mext_out;
 
+
 
 		err = ext4_move_extents(filp, donor_filp, me.orig_start,
 
 		err = ext4_move_extents(filp, donor_filp, me.orig_start,
 
 					me.donor_start, me.len, &me.moved_len);
 
 					me.donor_start, me.len, &me.moved_len);
 
-		fput(donor_filp);
 
+		mnt_drop_write(filp->f_path.mnt);
 
+		if (me.moved_len > 0)
 
+			file_remove_suid(donor_filp);
 
 
 
 		if (copy_to_user((struct move_extent *)arg, &me, sizeof(me)))
 
 		if (copy_to_user((struct move_extent *)arg, &me, sizeof(me)))
 
-			return -EFAULT;
 
-
 
+			err = -EFAULT;
 
+mext_out:
 
+		fput(donor_filp);
 
 		return err;
 
 		return err;
 
 	}
 
 	}

+ 7 - 0
fs/ext4/move_extent.c
View File 

@@ -957,6 +957,13 @@ mext_check_arguments(struct inode *orig_inode,
 
 		return -EINVAL;
 
 		return -EINVAL;
 
 	}
 
 	}
 
 
 
+	if (donor_inode->i_mode & (S_ISUID|S_ISGID)) {
 
+		ext4_debug("ext4 move extent: suid or sgid is set"
 
+			   " to donor file [ino:orig %lu, donor %lu]\n",
 
+			   orig_inode->i_ino, donor_inode->i_ino);
 
+		return -EINVAL;
 
+	}
 
+
 
 	/* Ext4 move extent does not support swapfile */
 
 	/* Ext4 move extent does not support swapfile */
 
 	if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) {
 
 	if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) {
 
 		ext4_debug("ext4 move extent: The argument files should "
 
 		ext4_debug("ext4 move extent: The argument files should "