From: Darrick J. Wong <djwong@xxxxxxxxxx>
Add checks for the metadata inode flag so that we don't ever leak
metadata inodes out to userspace, and we don't ever try to read a
regular inode as metadata.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
fs/xfs/libxfs/xfs_inode_buf.c | 73 +++++++++++++++++++++++++++++++++++++++++
fs/xfs/libxfs/xfs_inode_buf.h | 3 ++
fs/xfs/scrub/common.c | 7 +++-
fs/xfs/scrub/inode_repair.c | 10 ++++++
fs/xfs/xfs_icache.c | 2 +
fs/xfs/xfs_inode.c | 13 +++++++
6 files changed, 107 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
index 454f40b29249..1fb11d0e7eba 100644
--- a/fs/xfs/libxfs/xfs_inode_buf.c
+++ b/fs/xfs/libxfs/xfs_inode_buf.c
@@ -457,6 +457,73 @@ xfs_dinode_verify_nrext64(
return NULL;
}
+/*
+ * Validate all the picky requirements we have for a file that claims to be
+ * filesystem metadata.
+ */
+xfs_failaddr_t
+xfs_dinode_verify_metaflag(
+ struct xfs_mount *mp,
+ struct xfs_dinode *dip,
+ uint16_t mode,
+ uint16_t flags,
+ uint64_t flags2)
+{
+ if (!xfs_has_metadir(mp))
+ return __this_address;
+
+ /* V5 filesystem only */
+ if (dip->di_version < 3)
+ return __this_address;
+
+ /* V3 inode fields that are always zero */
+ if (dip->di_onlink)
+ return __this_address;
+ if ((flags2 & XFS_DIFLAG2_NREXT64) && dip->di_nrext64_pad)
+ return __this_address;
+ if (!(flags2 & XFS_DIFLAG2_NREXT64) && dip->di_flushiter)
+ return __this_address;
+
+ /* Metadata files can only be directories or regular files */
+ if (!S_ISDIR(mode) && !S_ISREG(mode))
+ return __this_address;
+
+ /* They must have zero access permissions */
+ if (mode & 0777)
+ return __this_address;
+
+ /* DMAPI event and state masks are zero */
+ if (dip->di_dmevmask || dip->di_dmstate)
+ return __this_address;
+
+ /* User, group, and project IDs must be zero */
+ if (dip->di_uid || dip->di_gid ||
+ dip->di_projid_lo || dip->di_projid_hi)
+ return __this_address;
+
+ /* Immutable, sync, noatime, nodump, and nodefrag flags must be set */
+ if (!(flags & XFS_DIFLAG_IMMUTABLE))
+ return __this_address;
+ if (!(flags & XFS_DIFLAG_SYNC))
+ return __this_address;
+ if (!(flags & XFS_DIFLAG_NOATIME))
+ return __this_address;
+ if (!(flags & XFS_DIFLAG_NODUMP))
+ return __this_address;
+ if (!(flags & XFS_DIFLAG_NODEFRAG))
+ return __this_address;
+
+ /* Directories must have nosymlinks flags set */
+ if (S_ISDIR(mode) && !(flags & XFS_DIFLAG_NOSYMLINKS))
+ return __this_address;
+
+ /* dax flags2 must not be set */
+ if (flags2 & XFS_DIFLAG2_DAX)
+ return __this_address;
+
+ return NULL;
+}
+
xfs_failaddr_t
xfs_dinode_verify(
struct xfs_mount *mp,
@@ -610,6 +677,12 @@ xfs_dinode_verify(
!xfs_has_bigtime(mp))
return __this_address;
+ if (flags2 & XFS_DIFLAG2_METADATA) {
+ fa = xfs_dinode_verify_metaflag(mp, dip, mode, flags, flags2);
+ if (fa)
+ return fa;
+ }
+
return NULL;
}
diff --git a/fs/xfs/libxfs/xfs_inode_buf.h b/fs/xfs/libxfs/xfs_inode_buf.h
index 585ed5a110af..94d6e7c018e2 100644
--- a/fs/xfs/libxfs/xfs_inode_buf.h
+++ b/fs/xfs/libxfs/xfs_inode_buf.h
@@ -28,6 +28,9 @@ int xfs_inode_from_disk(struct xfs_inode *ip, struct xfs_dinode *from);
xfs_failaddr_t xfs_dinode_verify(struct xfs_mount *mp, xfs_ino_t ino,
struct xfs_dinode *dip);
+xfs_failaddr_t xfs_dinode_verify_metaflag(struct xfs_mount *mp,
+ struct xfs_dinode *dip, uint16_t mode, uint16_t flags,
+ uint64_t flags2);
xfs_failaddr_t xfs_inode_validate_extsize(struct xfs_mount *mp,
uint32_t extsize, uint16_t mode, uint16_t flags);
xfs_failaddr_t xfs_inode_validate_cowextsize(struct xfs_mount *mp,
diff --git a/fs/xfs/scrub/common.c b/fs/xfs/scrub/common.c
index 2fbd8aa01ef7..b9c4f335cd8e 100644
--- a/fs/xfs/scrub/common.c
+++ b/fs/xfs/scrub/common.c
@@ -862,7 +862,12 @@ xchk_install_handle_inode(
struct xfs_scrub *sc,
struct xfs_inode *ip)
{
- if (VFS_I(ip)->i_generation != sc->sm->sm_gen) {
+ /*
+ * Only the directories in the metadata directory tree can be scrubbed
+ * by handle -- files must be checked through an explicit scrub type.
+ */
+ if ((xfs_is_metadata_inode(ip) && !S_ISDIR(VFS_I(ip)->i_mode)) ||
+ VFS_I(ip)->i_generation != sc->sm->sm_gen) {
xchk_irele(sc, ip);
return -ENOENT;
}
diff --git a/fs/xfs/scrub/inode_repair.c b/fs/xfs/scrub/inode_repair.c
index 6c889c21ddec..e9225536dc65 100644
--- a/fs/xfs/scrub/inode_repair.c
+++ b/fs/xfs/scrub/inode_repair.c
@@ -400,6 +400,16 @@ xrep_dinode_flags(
dip->di_nrext64_pad = 0;
else if (dip->di_version >= 3)
dip->di_v3_pad = 0;
+
+ if (flags2 & XFS_DIFLAG2_METADATA) {
+ xfs_failaddr_t fa;
+
+ fa = xfs_dinode_verify_metaflag(sc->mp, dip, mode, flags,
+ flags2);
+ if (fa)
+ flags2 &= ~XFS_DIFLAG2_METADATA;
+ }
+
dip->di_flags = cpu_to_be16(flags);
dip->di_flags2 = cpu_to_be64(flags2);
}
diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
index bccdaf51cd67..fc11ae6eae0b 100644
--- a/fs/xfs/xfs_icache.c
+++ b/fs/xfs/xfs_icache.c
@@ -931,6 +931,8 @@ xfs_imeta_iget(
goto bad_rele;
if (xfs_mode_to_ftype(VFS_I(ip)->i_mode) != ftype)
goto bad_rele;
+ if (xfs_has_metadir(mp) && !xfs_is_metadata_inode(ip))
+ goto bad_rele;
*ipp = ip;
return 0;
diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index 83127fed2b10..2c140c6d51e7 100644
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -572,8 +572,19 @@ xfs_lookup(
if (error)
goto out_free_name;
+ /*
+ * Make sure that a corrupt directory cannot accidentally link to a
+ * metadata file.
+ */
+ if (XFS_IS_CORRUPT(dp->i_mount, xfs_is_metadata_inode(*ipp))) {
+ error = -EFSCORRUPTED;
+ goto out_irele;
+ }
+
return 0;
+out_irele:
+ xfs_irele(*ipp);
out_free_name:
if (ci_name)
kmem_free(ci_name->name);
@@ -2714,6 +2725,8 @@ void
xfs_imeta_irele(
struct xfs_inode *ip)
{
+ ASSERT(!xfs_has_metadir(ip->i_mount) || xfs_is_metadata_inode(ip));
+
xfs_irele(ip);
}
