Commit 43f70c96 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'ecryptfs-4.17-rc2-fixes' of...

Merge tag 'ecryptfs-4.17-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs

Pull eCryptfs fixes from Tyler Hicks:
 "Minor cleanups and a bug fix to completely ignore unencrypted
  filenames in the lower filesystem when filename encryption is enabled
  at the eCryptfs layer"

* tag 'ecryptfs-4.17-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
  eCryptfs: don't pass up plaintext names when using filename encryption
  ecryptfs: fix spelling mistake: "cadidate" -> "candidate"
  ecryptfs: lookup: Don't check if mount_crypt_stat is NULL
parents 0d9cf33b e86281e7
...@@ -1997,6 +1997,16 @@ int ecryptfs_encrypt_and_encode_filename( ...@@ -1997,6 +1997,16 @@ int ecryptfs_encrypt_and_encode_filename(
return rc; return rc;
} }
static bool is_dot_dotdot(const char *name, size_t name_size)
{
if (name_size == 1 && name[0] == '.')
return true;
else if (name_size == 2 && name[0] == '.' && name[1] == '.')
return true;
return false;
}
/** /**
* ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext
* @plaintext_name: The plaintext name * @plaintext_name: The plaintext name
...@@ -2021,13 +2031,21 @@ int ecryptfs_decode_and_decrypt_filename(char **plaintext_name, ...@@ -2021,13 +2031,21 @@ int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
size_t packet_size; size_t packet_size;
int rc = 0; int rc = 0;
if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) &&
&& !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)) {
&& (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) if (is_dot_dotdot(name, name_size)) {
&& (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, rc = ecryptfs_copy_filename(plaintext_name,
ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) { plaintext_name_size,
const char *orig_name = name; name, name_size);
size_t orig_name_size = name_size; goto out;
}
if (name_size <= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE ||
strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX,
ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)) {
rc = -EINVAL;
goto out;
}
name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE;
...@@ -2047,12 +2065,9 @@ int ecryptfs_decode_and_decrypt_filename(char **plaintext_name, ...@@ -2047,12 +2065,9 @@ int ecryptfs_decode_and_decrypt_filename(char **plaintext_name,
decoded_name, decoded_name,
decoded_name_size); decoded_name_size);
if (rc) { if (rc) {
printk(KERN_INFO "%s: Could not parse tag 70 packet " ecryptfs_printk(KERN_DEBUG,
"from filename; copying through filename " "%s: Could not parse tag 70 packet from filename\n",
"as-is\n", __func__); __func__);
rc = ecryptfs_copy_filename(plaintext_name,
plaintext_name_size,
orig_name, orig_name_size);
goto out_free; goto out_free;
} }
} else { } else {
......
...@@ -82,17 +82,28 @@ ecryptfs_filldir(struct dir_context *ctx, const char *lower_name, ...@@ -82,17 +82,28 @@ ecryptfs_filldir(struct dir_context *ctx, const char *lower_name,
buf->sb, lower_name, buf->sb, lower_name,
lower_namelen); lower_namelen);
if (rc) { if (rc) {
printk(KERN_ERR "%s: Error attempting to decode and decrypt " if (rc != -EINVAL) {
"filename [%s]; rc = [%d]\n", __func__, lower_name, ecryptfs_printk(KERN_DEBUG,
rc); "%s: Error attempting to decode and decrypt filename [%s]; rc = [%d]\n",
goto out; __func__, lower_name, rc);
return rc;
} }
/* Mask -EINVAL errors as these are most likely due a plaintext
* filename present in the lower filesystem despite filename
* encryption being enabled. One unavoidable example would be
* the "lost+found" dentry in the root directory of an Ext4
* filesystem.
*/
return 0;
}
buf->caller->pos = buf->ctx.pos; buf->caller->pos = buf->ctx.pos;
rc = !dir_emit(buf->caller, name, name_size, ino, d_type); rc = !dir_emit(buf->caller, name, name_size, ino, d_type);
kfree(name); kfree(name);
if (!rc) if (!rc)
buf->entries_written++; buf->entries_written++;
out:
return rc; return rc;
} }
......
...@@ -395,8 +395,7 @@ static struct dentry *ecryptfs_lookup(struct inode *ecryptfs_dir_inode, ...@@ -395,8 +395,7 @@ static struct dentry *ecryptfs_lookup(struct inode *ecryptfs_dir_inode,
mount_crypt_stat = &ecryptfs_superblock_to_private( mount_crypt_stat = &ecryptfs_superblock_to_private(
ecryptfs_dentry->d_sb)->mount_crypt_stat; ecryptfs_dentry->d_sb)->mount_crypt_stat;
if (mount_crypt_stat if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
&& (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) {
rc = ecryptfs_encrypt_and_encode_filename( rc = ecryptfs_encrypt_and_encode_filename(
&encrypted_and_encoded_name, &len, &encrypted_and_encoded_name, &len,
mount_crypt_stat, name, len); mount_crypt_stat, name, len);
......
...@@ -1880,7 +1880,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, ...@@ -1880,7 +1880,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
candidate_auth_tok = &auth_tok_list_item->auth_tok; candidate_auth_tok = &auth_tok_list_item->auth_tok;
if (unlikely(ecryptfs_verbosity > 0)) { if (unlikely(ecryptfs_verbosity > 0)) {
ecryptfs_printk(KERN_DEBUG, ecryptfs_printk(KERN_DEBUG,
"Considering cadidate auth tok:\n"); "Considering candidate auth tok:\n");
ecryptfs_dump_auth_tok(candidate_auth_tok); ecryptfs_dump_auth_tok(candidate_auth_tok);
} }
rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig, rc = ecryptfs_get_auth_tok_sig(&candidate_auth_tok_sig,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment