ACK: [PATCH] nfsd4: readdirplus shouldn't return parent of export
Kleber Souza
kleber.souza at canonical.com
Tue Mar 23 10:06:24 UTC 2021
On 12.03.21 19:23, Tim Gardner wrote:
> From: "J. Bruce Fields" <bfields at redhat.com>
>
> CVE-2021-3178
>
> If you export a subdirectory of a filesystem, a READDIRPLUS on the root
> of that export will return the filehandle of the parent with the ".."
> entry.
>
> The filehandle is optional, so let's just not return the filehandle for
> ".." if we're at the root of an export.
>
> Note that once the client learns one filehandle outside of the export,
> they can trivially access the rest of the export using further lookups.
>
> However, it is also not very difficult to guess filehandles outside of
> the export. So exporting a subdirectory of a filesystem should
> considered equivalent to providing access to the entire filesystem. To
> avoid confusion, we recommend only exporting entire filesystems.
>
> Reported-by: Youjipeng <wangzhibei1999 at gmail.com>
> Signed-off-by: J. Bruce Fields <bfields at redhat.com>
> Cc: stable at vger.kernel.org
> Signed-off-by: Chuck Lever <chuck.lever at oracle.com>
> (cherry picked from commit 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6)
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
> fs/nfsd/nfs3xdr.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
> index aae514d40b64..1a9e177be158 100644
> --- a/fs/nfsd/nfs3xdr.c
> +++ b/fs/nfsd/nfs3xdr.c
> @@ -849,9 +849,14 @@ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp,
> if (isdotent(name, namlen)) {
> if (namlen == 2) {
> dchild = dget_parent(dparent);
> - /* filesystem root - cannot return filehandle for ".." */
> + /*
> + * Don't return filehandle for ".." if we're at
> + * the filesystem or export root:
> + */
> if (dchild == dparent)
> goto out;
> + if (dparent == exp->ex_path.dentry)
> + goto out;
> } else
> dchild = dget(dparent);
> } else
>
More information about the kernel-team
mailing list