UBUNTU: SAUCE: overlayfs: ensure mounter privileges when reading directories

BugLink: https://launchpad.net/bugs/1793458 When reading directory contents ensure the mounter has permissions for the operation over the constituent parts (lower and upper). Where we are in a namespace this ensures that the mounter (root in that namespace) has permissions over the files and directories, preventing exposure of protected files and directory contents. CVE-2018-6559 Signed-off-by: Andy Whitcroft <apw@canonical.com> [tyhicks: make use of new upstream check in ovl_permission() for copy-ups] [tyhicks: make use of creator (mounter) creds hanging off the super block] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
2018-10-19 16:44:53 +00:00 · 2018-10-19 16:44:53 +00:00 · 5593f69b94
parent cd63c3ef89
commit 5593f69b94
4 changed files with 28 additions and 4 deletions
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@ -266,7 +266,6 @@ int ovl_permission(struct inode *inode, int mask)
 {
 	struct inode *upperinode = ovl_inode_upper(inode);
 	struct inode *realinode = upperinode ?: ovl_inode_lower(inode);
-	const struct cred *old_cred;
 	int err;

 	/* Careful in RCU walk mode */
@ -283,15 +282,13 @@ int ovl_permission(struct inode *inode, int mask)
 	if (err)
 		return err;

-	old_cred = ovl_override_creds(inode->i_sb);
 	if (!upperinode &&
 	    !special_file(realinode->i_mode) && mask & MAY_WRITE) {
 		mask &= ~(MAY_WRITE | MAY_APPEND);
 		/* Make sure mounter can read file for copy up later */
 		mask |= MAY_READ;
 	}
-	err = inode_permission(realinode, mask);
-	revert_creds(old_cred);
+	err = ovl_creator_permission(inode->i_sb, realinode, mask);

 	return err;
 }
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@ -218,6 +218,8 @@ void ovl_drop_write(struct dentry *dentry);
 struct dentry *ovl_workdir(struct dentry *dentry);
 const struct cred *ovl_override_creds(struct super_block *sb);
 struct super_block *ovl_same_sb(struct super_block *sb);
+int ovl_creator_permission(struct super_block *sb, struct inode *inode,
+			   int mode);
 int ovl_can_decode_fh(struct super_block *sb);
 struct dentry *ovl_indexdir(struct super_block *sb);
 bool ovl_index_all(struct super_block *sb);
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@ -370,6 +370,12 @@ static int ovl_dir_read_merged(struct dentry *dentry, struct list_head *list,
 		next = ovl_path_next(idx, dentry, &realpath);
 		rdd.is_upper = ovl_dentry_upper(dentry) == realpath.dentry;

+		err = ovl_creator_permission(dentry->d_sb,
+					     d_inode(realpath.dentry),
+					     MAY_READ);
+		if (err)
+			break;
+
 		if (next != -1) {
 			err = ovl_dir_read(&realpath, &rdd);
 			if (err)
@ -732,6 +738,12 @@ static int ovl_iterate(struct file *file, struct dir_context *ctx)
 		ovl_dir_reset(file);

 	if (od->is_real) {
+		err = ovl_creator_permission(dentry->d_sb,
+					     file_inode(od->realfile),
+					     MAY_READ);
+		if (err)
+			return err;
+
 		/*
 		 * If parent is merge, then need to adjust d_ino for '..', if
 		 * dir is impure then need to adjust d_ino for copied up
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@ -52,6 +52,19 @@ struct super_block *ovl_same_sb(struct super_block *sb)
 		return NULL;
 }

+int ovl_creator_permission(struct super_block *sb, struct inode *inode,
+			   int mode)
+{
+	const struct cred *old_cred;
+	int err = 0;
+
+	old_cred = ovl_override_creds(sb);
+	err = inode_permission(inode, mode);
+	revert_creds(old_cred);
+
+	return err;
+}
+
 /*
 * Check if underlying fs supports file handles and try to determine encoding
 * type, in order to deduce maximum inode number used by fs.