On Thu, Apr 09, 2015 at 09:51:11PM -0500, Eric W. Biederman wrote: > And a process opened /tmp/c/c/x. > d_path on that file descriptor before __d_move would say: > > /tmp/c/c/x > > after the __d_move d_path would say: > > /tmp/c/a/x So what? > Which is bizareely weird in this example, and could potentially be > an expolitable information leak in the hands of someone who knew > what they were doing. > > I am not clever enough to take that deleted directory and walk up the > tree, so the damage may be limited to seeing the true path on the > fileystem. But it just may be that I am dense today. > > Furthermore all of the relevant changes to the dentry that happen > when exchange is true also happen when exchange is false, so I am very > reluctant to believe that the non-exchange case is not exploitable by a > sufficiently clever individual. Exploited how? The same assistant might very well have done echo "/tmp/c/a/x or whatever else I might want to pass to you" >/tmp/c/c/x and pass whatever information they wanted _that_ way. As it is, you've created one hell of a DoS - *anyone* can poison any vfsmount covering a subtree if they have access to a containing subtree somewhere and write permissions on a directory inside and directory outside of the victim one. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
