linux-hardened/fs/ocfs2
Kees Cook a068acf2ee fs: create and use seq_show_option for escaping
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g.  new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files.  This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else.  This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.

Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink).  Imagine the use
of "sudo" is something more sneaky:

  $ BASE="ovl"
  $ MNT="$BASE/mnt"
  $ LOW="$BASE/lower"
  $ UP="$BASE/upper"
  $ WORK="$BASE/work/ 0 0
  none /proc fuse.pwn user_id=1000"
  $ mkdir -p "$LOW" "$UP" "$WORK"
  $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
  $ cat /proc/mounts
  none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
  none /proc fuse.pwn user_id=1000 0 0
  $ fusermount -u /proc
  $ cat /proc/mounts
  cat: /proc/mounts: No such file or directory

This fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed.  Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.

[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Jan Kara <jack@suse.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: J. R. Okajima <hooanon05g@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-04 16:54:41 -07:00
..
cluster ocfs2: use 64bit variables to track heartbeat time 2015-09-04 16:54:41 -07:00
dlm ocfs2: avoid access invalid address when read o2dlm debug messages 2015-09-04 16:54:41 -07:00
dlmfs VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
acl.c ocfs2: take inode lock in ocfs2_iop_set/get_acl() 2015-09-04 16:54:41 -07:00
acl.h ocfs2: use generic posix ACL infrastructure 2014-01-25 23:58:21 -05:00
alloc.c ocfs2: clean up redundant NULL checks before kfree 2015-09-04 16:54:41 -07:00
alloc.h ocfs2: reflink: fix slow unlink for refcounted file 2014-12-18 19:08:11 -08:00
aops.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
aops.h ocfs2: remove OCFS2_IOCB_SEM lock type in direct io 2015-06-24 17:49:39 -07:00
blockcheck.c
blockcheck.h
buffer_head_io.c ocfs2: clear the rest of the buffers on error 2015-09-04 16:54:41 -07:00
buffer_head_io.h
dcache.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
dcache.h ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock 2014-04-03 16:20:55 -07:00
dir.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
dir.h VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
dlmglue.c ocfs2: remove unneeded code in ocfs2_dlm_init 2015-09-04 16:54:41 -07:00
dlmglue.h ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread 2014-04-03 16:20:55 -07:00
export.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-04-26 17:22:07 -07:00
export.h
extent_map.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
extent_map.h
file.c ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() 2015-09-04 16:54:41 -07:00
file.h ocfs2: prepare some interfaces used in append direct io 2015-02-16 17:56:04 -08:00
heartbeat.c
heartbeat.h
inode.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
inode.h ocfs2: fix race between dio and recover orphan 2015-09-04 16:54:41 -07:00
ioctl.c ioctl_compat: handle FITRIM 2015-07-09 11:42:21 -07:00
ioctl.h
journal.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
journal.h ocfs2: add functions to add and remove inode in orphan dir 2015-02-16 17:56:04 -08:00
Kconfig
localalloc.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
localalloc.h ocfs2: free allocated clusters if error occurs after ocfs2_claim_clusters 2014-02-06 13:48:51 -08:00
locks.c ocfs2: flock: drop cross-node lock when failed locally 2014-04-03 16:20:56 -07:00
locks.h
Makefile ocfs2: remove versioning information 2014-01-21 16:19:41 -08:00
mmap.c mm: drop vm_ops->remap_pages and generic_file_remap_pages() stub 2015-02-10 14:30:30 -08:00
mmap.h
move_extents.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
move_extents.h
namei.c ocfs2: fix a tiny case that inode can not removed 2015-09-04 16:54:41 -07:00
namei.h ocfs2: fix a tiny race when truncate dio orohaned entry 2015-06-24 17:49:39 -07:00
ocfs1_fs_compat.h
ocfs2.h ocfs2: add errors=continue 2015-09-04 16:54:41 -07:00
ocfs2_fs.h treewide: fix typos in comment blocks 2015-08-07 14:46:24 +02:00
ocfs2_ioctl.h
ocfs2_lockid.h
ocfs2_lockingver.h
ocfs2_trace.h ocfs2: fix a tiny race when running dirop_fileop_racer 2014-06-23 16:47:45 -07:00
quota.h ocfs2: Move OLQF_CLEAN flag out of generic quota flags 2015-01-21 19:21:30 +01:00
quota_global.c ocfs2: Don't use MAXQUOTAS value 2014-09-17 11:59:12 +02:00
quota_local.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
refcounttree.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
refcounttree.h
reservations.c ocfs2: make resv_lock spinlock static 2015-02-10 14:30:29 -08:00
reservations.h
resize.c ocfs2: fix incorrect i_size of global bitmap inode after resize 2014-06-04 16:53:54 -07:00
resize.h
slot_map.c ocfs2: one function call less in ocfs2_init_slot_info() after error detection 2015-04-14 16:48:57 -07:00
slot_map.h
stack_o2cb.c ocfs2: avoid a pointless delay in o2cb_cluster_check() 2015-04-14 16:48:57 -07:00
stack_user.c char: make misc_deregister a void function 2015-08-05 10:35:49 -07:00
stackglue.c ocfs2: remove NULL assignments on static 2014-06-04 16:53:53 -07:00
stackglue.h ocfs2: pass ocfs2_cluster_connection to ocfs2_this_node 2014-01-21 16:19:41 -08:00
suballoc.c ocfs2: clean up redundant NULL checks before kfree 2015-09-04 16:54:41 -07:00
suballoc.h ocfs2: rollback alloc_dinode counts when ocfs2_block_group_set_bits() failed 2014-04-03 16:20:56 -07:00
super.c fs: create and use seq_show_option for escaping 2015-09-04 16:54:41 -07:00
super.h ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
symlink.c
symlink.h
sysfile.c ocfs2: avoid system inode ref confusion by adding mutex lock 2014-04-03 16:20:57 -07:00
sysfile.h
uptodate.c ocfs2: remove NULL assignments on static 2014-06-04 16:53:53 -07:00
uptodate.h
xattr.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort 2015-09-04 16:54:41 -07:00
xattr.h ocfs2: use generic posix ACL infrastructure 2014-01-25 23:58:21 -05:00