linux/fs/ubifs
Eric Biggers b01531db6c fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext
->lookup() in an encrypted directory begins as follows:

1. fscrypt_prepare_lookup():
    a. Try to load the directory's encryption key.
    b. If the key is unavailable, mark the dentry as a ciphertext name
       via d_flags.
2. fscrypt_setup_filename():
    a. Try to load the directory's encryption key.
    b. If the key is available, encrypt the name (treated as a plaintext
       name) to get the on-disk name.  Otherwise decode the name
       (treated as a ciphertext name) to get the on-disk name.

But if the key is concurrently added, it may be found at (2a) but not at
(1a).  In this case, the dentry will be wrongly marked as a ciphertext
name even though it was actually treated as plaintext.

This will cause the dentry to be wrongly invalidated on the next lookup,
potentially causing problems.  For example, if the racy ->lookup() was
part of sys_mount(), then the new mount will be detached when anything
tries to access it.  This is despite the mountpoint having a plaintext
path, which should remain valid now that the key was added.

Of course, this is only possible if there's a userspace race.  Still,
the additional kernel-side race is confusing and unexpected.

Close the kernel-side race by changing fscrypt_prepare_lookup() to also
set the on-disk filename (step 2b), consistent with the d_flags update.

Fixes: 28b4c26396 ("ext4 crypto: revalidate dentry after adding or removing the key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2019-04-17 10:07:51 -04:00
..
auth.c crypto: drop mask=CRYPTO_ALG_ASYNC from 'shash' tfm allocations 2018-11-20 14:26:55 +08:00
budget.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
commit.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
compress.c UBIFS: extend debug/message capabilities 2015-03-25 11:08:41 +02:00
crypto.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
debug.c ubifs: Format changes for authentication support 2018-10-23 13:48:29 +02:00
debug.h ubifs: Rework ubifs_assert() 2018-08-15 00:25:21 +02:00
dir.c fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext 2019-04-17 10:07:51 -04:00
file.c mm: migrate: drop unused argument of migrate_page_move_mapping() 2018-12-28 12:11:51 -08:00
find.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
gc.c ubifs: Add auth nodes to garbage collector journal head 2018-10-23 13:48:40 +02:00
io.c ubifs: Create functions to embed a HMAC in a node 2018-10-23 13:48:37 +02:00
ioctl.c This pull request contains updates for both UBI and UBIFS: 2019-03-13 09:34:35 -07:00
journal.c ubifs: Add authentication nodes to journal 2018-10-23 13:48:39 +02:00
Kconfig fscrypt: remove filesystem specific build config option 2019-01-23 23:56:43 -05:00
key.h ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
log.c ubifs: Add authentication nodes to journal 2018-10-23 13:48:39 +02:00
lprops.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
lpt_commit.c ubifs: authentication: Authenticate LPT 2018-10-23 13:48:47 +02:00
lpt.c ubifs: Fix memory leak on error condition 2018-12-13 22:09:13 +01:00
Makefile fscrypt: remove filesystem specific build config option 2019-01-23 23:56:43 -05:00
master.c ubfis: authentication: Authenticate master node 2018-10-23 13:48:52 +02:00
misc.c ubifs: Allow setting assert action as mount parameter 2018-08-15 00:25:21 +02:00
misc.h ubifs: authentication: Add hashes to index nodes 2018-10-23 13:48:39 +02:00
orphan.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
recovery.c ubifs: Do not update inode size in-place in authenticated mode 2018-10-23 13:48:57 +02:00
replay.c ubifs: Handle re-linking of inodes correctly while recovery 2018-12-13 22:18:24 +01:00
sb.c fscrypt: remove filesystem specific build config option 2019-01-23 23:56:43 -05:00
scan.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
shrinker.c ubifs: Pass struct ubifs_info to ubifs_assert() 2018-08-15 00:25:21 +02:00
super.c ubifs: fix use-after-free on symlink traversal 2019-04-01 00:31:02 -04:00
tnc_commit.c ubifs: authentication: Add hashes to index nodes 2018-10-23 13:48:39 +02:00
tnc_misc.c ubifs: authentication: Add hashes to index nodes 2018-10-23 13:48:39 +02:00
tnc.c ubifs: authentication: Add hashes to index nodes 2018-10-23 13:48:39 +02:00
ubifs-media.h ubifs: Format changes for authentication support 2018-10-23 13:48:29 +02:00
ubifs.h fscrypt: remove filesystem specific build config option 2019-01-23 23:56:43 -05:00
xattr.c Revert "ubifs: xattr: Don't operate on deleted inodes" 2018-09-20 21:37:41 +02:00