Headline
CVE-2022-24448: git/torvalds/linux.git - Linux kernel source tree
An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.
author
Trond Myklebust [email protected]
2022-01-06 18:24:02 -0500
committer
Anna Schumaker [email protected]
2022-01-07 11:59:31 -0500
commit
ac795161c93699d600db16c1a8cc23a65a1eceaf (patch)
tree
e3f3ebeabbebc61c82aaa9d6bdc23832b7b75bc4
parent
34bf20ce986c441c1088ed09a33e0bb96e52f99a (diff)
download
linux-ac795161c93699d600db16c1a8cc23a65a1eceaf.tar.gz
NFSv4: Handle case where the lookup of a directory fails
If the application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() will punt to doing a regular lookup. If the server then returns a regular file, we will happily return a file descriptor with uninitialised open state. The fix is to return the expected ENOTDIR error in these cases. Reported-by: Lyu Tao [email protected] Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust [email protected] Signed-off-by: Anna Schumaker [email protected]
-rw-r–r--
fs/nfs/dir.c
13
1 files changed, 13 insertions, 0 deletions
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 2884138848f4c6…408c3bb549b1e1 100644
— a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1994,6 +1994,19 @@ out:
no_open:
res = nfs_lookup(dir, dentry, lookup_flags);
+ if (!res) {
+ inode = d_inode(dentry);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode))
+ res = ERR_PTR(-ENOTDIR);
+ } else if (!IS_ERR(res)) {
+ inode = d_inode(res);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode)) {
+ dput(res);
+ res = ERR_PTR(-ENOTDIR);
+ }
+ }
if (switched) {
d_lookup_done(dentry);
if (!res)