On Mon, May 27, 2024 at 03:58:52PM +0800, Hongbo Li wrote:
> `fsparam_path` uses `fs_param_is_path` to parse the option, but it
> is currently empty. The new mount api has considered this option in
> `fsconfig`(that is FSCONFIG_SET_PATH). Here we add general path parser
> in filesystem layer. Currently, no filesystem uses this function to
> parse parameters, we add `void *ptr` in `fs_parse_result` to point to
> the target structure(such as `struct inode *`).
>
> Signed-off-by: Hongbo Li <lihongbo22@xxxxxxxxxx>
> ---
> fs/fs_parser.c | 18 ++++++++++++++++++
> include/linux/fs_parser.h | 1 +
> 2 files changed, 19 insertions(+)
>
> diff --git a/fs/fs_parser.c b/fs/fs_parser.c
> index 2aa208cf2027..5d0adcc514d8 100644
> --- a/fs/fs_parser.c
> +++ b/fs/fs_parser.c
> @@ -367,6 +367,24 @@ EXPORT_SYMBOL(fs_param_is_blockdev);
> int fs_param_is_path(struct p_log *log, const struct fs_parameter_spec *p,
> struct fs_parameter *param, struct fs_parse_result *result)
> {
> + int ret;
> + struct filename *f;
> + struct path path;
> +
> + if (param->type != fs_value_is_filename)
> + return fs_param_bad_value(log, param);
> + if (!*param->string && (p->flags & fs_param_can_be_empty))
> + return 0;
> +
> + f = param->name;
> + ret = filename_lookup(param->dirfd, f, LOOKUP_FOLLOW, &path, NULL);
> + if (ret < 0) {
> + error_plog(log, "%s: Lookup failure for '%s'", param->key, f->name);
> + return fs_param_bad_value(log, param);
> + }
> + result->ptr = d_backing_inode(path.dentry);
> + path_put(&path);
That smells like a UAF:
dfd = open("/bla");
fsconfig(FSCONFIG_SET_PATH, dfd, "blub", 0);
close(dfd);
umount("/bla");
and that result->ptr now has a dangling pointer which will be triggered by:
fsconfig(FSCONFIG_CMD_CREATE);
