linux/fs/cifs
Kees Cook a068acf2ee fs: create and use seq_show_option for escaping
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g.  new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files.  This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else.  This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.

Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink).  Imagine the use
of "sudo" is something more sneaky:

  $ BASE="ovl"
  $ MNT="$BASE/mnt"
  $ LOW="$BASE/lower"
  $ UP="$BASE/upper"
  $ WORK="$BASE/work/ 0 0
  none /proc fuse.pwn user_id=1000"
  $ mkdir -p "$LOW" "$UP" "$WORK"
  $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
  $ cat /proc/mounts
  none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
  none /proc fuse.pwn user_id=1000 0 0
  $ fusermount -u /proc
  $ cat /proc/mounts
  cat: /proc/mounts: No such file or directory

This fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed.  Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.

[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Jan Kara <jack@suse.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: J. R. Okajima <hooanon05g@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-04 16:54:41 -07:00
..
asn1.c
cache.c
cifs_debug.c
cifs_debug.h
cifs_dfs_ref.c
cifs_fs_sb.h
cifs_spnego.c
cifs_spnego.h
cifs_unicode.c
cifs_unicode.h
cifs_uniupr.h
cifsacl.c
cifsacl.h
cifsencrypt.c
cifsfs.c fs: create and use seq_show_option for escaping 2015-09-04 16:54:41 -07:00
cifsfs.h
cifsglob.h Add ioctl to set integrity 2015-06-28 21:15:45 -05:00
cifspdu.h Add reflink copy over SMB3.11 with new FSCTL_DUPLICATE_EXTENTS 2015-06-28 21:15:38 -05:00
cifsproto.h
cifssmb.c client MUST ignore EncryptionKeyLength if CAP_EXTENDED_SECURITY is set 2015-06-27 20:26:00 -07:00
connect.c cifs: Unset CIFS_MOUNT_POSIX_PATHS flag when following dfs mounts 2015-06-29 14:50:22 -05:00
dir.c
dns_resolve.c
dns_resolve.h
export.c
file.c
fscache.c
fscache.h
inode.c
ioctl.c Add ioctl to set integrity 2015-06-28 21:15:45 -05:00
Kconfig
link.c
Makefile
misc.c
netmisc.c
nterr.c
nterr.h
ntlmssp.h
readdir.c
rfc1002pdu.h
sess.c
smb1ops.c
smb2file.c
smb2glob.h
smb2inode.c
smb2maperror.c
smb2misc.c
smb2ops.c Add ioctl to set integrity 2015-06-28 21:15:45 -05:00
smb2pdu.c Update negotiate protocol for SMB3.11 dialect 2015-06-28 21:15:48 -05:00
smb2pdu.h Update negotiate protocol for SMB3.11 dialect 2015-06-28 21:15:48 -05:00
smb2proto.h
smb2status.h
smb2transport.c
smbencrypt.c
smberr.h
smbfsctl.h Add Get/Set Integrity Information structure definitions 2015-06-28 21:15:41 -05:00
transport.c
winucase.c
xattr.c