sysfs: store sysfs inode nrs in s_ino to avoid readdir oopses (CVE-2007-3104)

Backport of
ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.22-rc1/2.6.22-rc1-mm1/broken-out/gregkh-driver-sysfs-allocate-inode-number-using-ida.patch

For regular files in sysfs, sysfs_readdir wants to traverse
sysfs_dirent->s_dentry->d_inode->i_ino to get to the inode number.
But, the dentry can be reclaimed under memory pressure, and there is
no synchronization with readdir.  This patch follows Tejun's scheme of
allocating and storing an inode number in the new s_ino member of a
sysfs_dirent, when dirents are created, and retrieving it from there
for readdir, so that the pointer chain doesn't have to be traversed.

Tejun's upstream patch uses a new-ish "ida" allocator which brings
along some extra complexity; this -stable patch has a brain-dead
incrementing counter which does not guarantee uniqueness, but because
sysfs doesn't hash inodes as iunique expects, uniqueness wasn't
guaranteed today anyway.

Adrian Bunk:
Backported to 2.6.16.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>

diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index cfd290d3d6b1f1080a09d29ca3d86a240bf37e00..e07cafc7d7e2a89d382c607e1732c85a8009da63 100644 (file)
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -29,6 +29,14 @@ static struct dentry_operations sysfs_dentry_ops = {
        .d_iput         = sysfs_d_iput,
 };
 
+static unsigned int sysfs_inode_counter;
+ino_t sysfs_get_inum(void)
+{
+       if (unlikely(sysfs_inode_counter < 3))
+               sysfs_inode_counter = 3;
+       return sysfs_inode_counter++;
+}
+
 /*
  * Allocates a new sysfs_dirent and links it to the parent sysfs_dirent
  */
@@ -42,6 +50,7 @@ static struct sysfs_dirent * sysfs_new_dirent(struct sysfs_dirent * parent_sd,
                return NULL;
 
        memset(sd, 0, sizeof(*sd));
+       sd->s_ino = sysfs_get_inum();
        atomic_set(&sd->s_count, 1);
        INIT_LIST_HEAD(&sd->s_children);
        list_add(&sd->s_sibling, &parent_sd->s_children);
@@ -385,7 +394,7 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir)
 
        switch (i) {
                case 0:
-                       ino = dentry->d_inode->i_ino;
+                       ino = parent_sd->s_ino;
                        if (filldir(dirent, ".", 1, i, ino, DT_DIR) < 0)
                                break;
                        filp->f_pos++;
@@ -415,10 +424,7 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir)
 
                                name = sysfs_get_name(next);
                                len = strlen(name);
-                               if (next->s_dentry)
-                                       ino = next->s_dentry->d_inode->i_ino;
-                               else
-                                       ino = iunique(sysfs_sb, 2);
+                               ino = next->s_ino;
 
                                if (filldir(dirent, name, len, filp->f_pos, ino,
                                                 dt_type(next)) < 0)

diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c
index 6beee6f6a67463e77e72ea01c173ce54e6cf918c..e3f1c15b97d31bd644eedb9e8e52fc0d7f79eca1 100644 (file)
--- a/fs/sysfs/inode.c
+++ b/fs/sysfs/inode.c
@@ -119,6 +119,7 @@ struct inode * sysfs_new_inode(mode_t mode, struct sysfs_dirent * sd)
                inode->i_mapping->a_ops = &sysfs_aops;
                inode->i_mapping->backing_dev_info = &sysfs_backing_dev_info;
                inode->i_op = &sysfs_inode_operations;
+               inode->i_ino = sd->s_ino;
 
                if (sd->s_iattr) {
                        /* sysfs_dirent has non-default attributes

diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index f1117e885bd6e95c7402c50c6d9b52a6b69f0b43..c995fd3c4afad4e1c3d908757f74d67de2ae6ce7 100644 (file)
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -29,6 +29,7 @@ static struct sysfs_dirent sysfs_root = {
        .s_element      = NULL,
        .s_type         = SYSFS_ROOT,
        .s_iattr        = NULL,
+       .s_ino          = 1,
 };
 
 static int sysfs_fill_super(struct super_block *sb, void *data, int silent)

diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
index 392da5a6dacb79530c7dc9c0445b6b7d0f0350bb..b34fa5b8c3296aec234c537c5a7d6470a9c9ec4f 100644 (file)
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -72,6 +72,7 @@ struct sysfs_dirent {
        void                    * s_element;
        int                     s_type;
        umode_t                 s_mode;
+       ino_t                   s_ino;
        struct dentry           * s_dentry;
        struct iattr            * s_iattr;
 };