On Fri, Oct 22, 2021 at 09:16:05AM +0900, Masami Ichikawa(CIP) wrote:
> From: Zheng Liang <zhengliang6@xxxxxxxxxx>
>
> From: Zheng Liang <zhengliang6@xxxxxxxxxx>
>
> commit a295aef603e109a47af355477326bd41151765b6 upstream.
>
> The following reproducer
>
> mkdir lower upper work merge
> touch lower/old
> touch lower/new
> mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
> rm merge/new
> mv merge/old merge/new & unlink upper/new
>
> may result in this race:
>
> PROCESS A:
> rename("merge/old", "merge/new");
> overwrite=true,ovl_lower_positive(old)=true,
> ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
>
> PROCESS B:
> unlink("upper/new");
>
> PROCESS A:
> lookup newdentry in new_upperdir
> call vfs_rename() with negative newdentry and RENAME_EXCHANGE
>
> Fix by adding the missing check for negative newdentry.
>
> Signed-off-by: Zheng Liang <zhengliang6@xxxxxxxxxx>
> Fixes: e9be9d5e76e3 ("overlay filesystem")
> Cc: <stable@xxxxxxxxxxxxxxx> # v3.18
> Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx>
> Reference: CVE-2021-20321
> Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@xxxxxxxxxxxxxxxx>
> ---
> fs/overlayfs/dir.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
> index eedacae889b9..80bf0ab52e81 100644
> --- a/fs/overlayfs/dir.c
> +++ b/fs/overlayfs/dir.c
> @@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
> }
> } else {
> new_create = true;
> - if (!d_is_negative(newdentry) &&
> - (!new_opaque || !ovl_is_whiteout(newdentry)))
> - goto out_dput;
> + if (!d_is_negative(newdentry)) {
> + if (!new_opaque || !ovl_is_whiteout(newdentry))
> + goto out_dput;
> + } else {
> + if (flags & RENAME_EXCHANGE)
> + goto out_dput;
> + }
> }
>
> if (olddentry == trap)
> --
> 2.33.0
>
Now queued up for 4.4.y, thanks!
greg k-h
