• Kees Cook's avatar
    fs: create and use seq_show_option for escaping · d3b428f0
    Kees Cook authored
    commit a068acf2 upstream.
    
    Many file systems that implement the show_options hook fail to correctly
    escape their output which could lead to unescaped characters (e.g.  new
    lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files.  This
    could lead to confusion, spoofed entries (resulting in things like
    systemd issuing false d-bus "mount" notifications), and who knows what
    else.  This looks like it would only be the root user stepping on
    themselves, but it's possible weird things could happen in containers or
    in other situations with delegated mount privileges.
    
    Here's an example using overlay with setuid fusermount trusting the
    contents of /proc/mounts (via the /etc/mtab symlink).  Imagine the use
    of "sudo" is something more sneaky:
    
      $ BASE="ovl"
      $ MNT="$BASE/mnt"
      $ LOW="$BASE/lower"
      $ UP="$BASE/upper"
      $ WORK="$BASE/work/ 0 0
      none /proc fuse.pwn user_id=1000"
      $ mkdir -p "$LOW" "$UP" "$WORK"
      $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
      $ cat /proc/mounts
      none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
      none /proc fuse.pwn user_id=1000 0 0
      $ fusermount -u /proc
      $ cat /proc/mounts
      cat: /proc/mounts: No such file or directory
    
    This fixes the problem by adding new seq_show_option and
    seq_show_option_n helpers, and updating the vulnerable show_option
    handlers to use them as needed.  Some, like SELinux, need to be open
    coded due to unusual existing escape mechanisms.
    
    [akpm@linux-foundation.org: add lost chunk, per Kees]
    [keescook@chromium.org: seq_show_option should be using const parameters]
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
    Acked-by: default avatarJan Kara <jack@suse.com>
    Acked-by: default avatarPaul Moore <paul@paul-moore.com>
    Cc: J. R. Okajima <hooanon05g@gmail.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    d3b428f0
xfs_super.c 49.1 KB