diff options
| author |   Al Viro <viro@zeniv.linux.org.uk> | 2024-12-08 01:27:11 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2025-01-27 19:25:24 -0500 |
| commit | ffeeaada2bddb88078f16ba24f24ce8651c22d5b (patch) | |
| tree | 3d0d9a74f991c156cdd712f2afcad6b299c57dc8 /include | |
| parent | nfs{,4}_lookup_validate(): use stable parent inode passed by caller (diff) | |
| download | wireguard-linux-ffeeaada2bddb88078f16ba24f24ce8651c22d5b.tar.xz wireguard-linux-ffeeaada2bddb88078f16ba24f24ce8651c22d5b.zip | |
nfs: fix ->d_revalidate() UAF on ->d_name accesses
Pass the stable name all the way down to ->rpc_ops->lookup() instances.
Note that passing &dentry->d_name is safe in e.g. nfs_lookup() - it *is*
stable there, as it is in ->create() et.al.
dget_parent() in nfs_instantiate() should be redundant - it'd better be
stable there; if it's not, we have more trouble, since ->d_name would
also be unsafe in such case.
nfs_submount() and nfs4_submount() may or may not require fixes - if
they ever get moved on server with fhandle preserved, we are in trouble
there...
UAF window is fairly narrow here and exfiltration requires the ability
to watch the traffic.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/nfs_xdr.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h index 559273a0f16d..08b62bbf59f0 100644 --- a/include/linux/nfs_xdr.h +++ b/include/linux/nfs_xdr.h @@ -1785,7 +1785,7 @@ struct nfs_rpc_ops { struct nfs_fattr *, struct inode *); int (*setattr) (struct dentry *, struct nfs_fattr *, struct iattr *); - int (*lookup) (struct inode *, struct dentry *, + int (*lookup) (struct inode *, struct dentry *, const struct qstr *, struct nfs_fh *, struct nfs_fattr *); int (*lookupp) (struct inode *, struct nfs_fh *, struct nfs_fattr *); |