--- /dev/null
+From fb2162df74bb19552db3d988fd11c787cf5fad56 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Fri, 23 Apr 2010 13:17:41 -0400
+Subject: reiserfs: fix corruption during shrinking of xattrs
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit fb2162df74bb19552db3d988fd11c787cf5fad56 upstream.
+
+Commit 48b32a3553a54740d236b79a90f20147a25875e3 ("reiserfs: use generic
+xattr handlers") introduced a problem that causes corruption when extended
+attributes are replaced with a smaller value.
+
+The issue is that the reiserfs_setattr to shrink the xattr file was moved
+from before the write to after the write.
+
+The root issue has always been in the reiserfs xattr code, but was papered
+over by the fact that in the shrink case, the file would just be expanded
+again while the xattr was written.
+
+The end result is that the last 8 bytes of xattr data are lost.
+
+This patch fixes it to use new_size.
+
+Addresses https://bugzilla.kernel.org/show_bug.cgi?id=14826
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reported-by: Christian Kujau <lists@nerdbynature.de>
+Tested-by: Christian Kujau <lists@nerdbynature.de>
+Cc: Edward Shishkin <edward.shishkin@gmail.com>
+Cc: Jethro Beekman <kernel@jbeekman.nl>
+Cc: Greg Surbey <gregsurbey@hotmail.com>
+Cc: Marco Gatti <marco.gatti@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -536,7 +536,7 @@ reiserfs_xattr_set_handle(struct reiserf
+ if (!err && new_size < i_size_read(dentry->d_inode)) {
+ struct iattr newattrs = {
+ .ia_ctime = current_fs_time(inode->i_sb),
+- .ia_size = buffer_size,
++ .ia_size = new_size,
+ .ia_valid = ATTR_SIZE | ATTR_CTIME,
+ };
+ mutex_lock_nested(&dentry->d_inode->i_mutex, I_MUTEX_XATTR);
--- /dev/null
+From cac36f707119b792b2396aed371d6b5cdc194890 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Fri, 23 Apr 2010 13:17:37 -0400
+Subject: reiserfs: fix permissions on .reiserfs_priv
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit cac36f707119b792b2396aed371d6b5cdc194890 upstream.
+
+Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove
+privroot hiding in lookup") removed the magic from the lookup code to hide
+the .reiserfs_priv directory since it was getting loaded at mount-time
+instead. The intent was that the entry would be hidden from the user via
+a poisoned d_compare, but this was faulty.
+
+This introduced a security issue where unprivileged users could access and
+modify extended attributes or ACLs belonging to other users, including
+root.
+
+This patch resolves the issue by properly hiding .reiserfs_priv. This was
+the intent of the xattr poisoning code, but it appears to have never
+worked as expected. This is fixed by using d_revalidate instead of
+d_compare.
+
+This patch makes -oexpose_privroot a no-op. I'm fine leaving it this way.
+The effort involved in working out the corner cases wrt permissions and
+caching outweigh the benefit of the feature.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Acked-by: Edward Shishkin <edward.shishkin@gmail.com>
+Reported-by: Matt McCutchen <matt@mattmccutchen.net>
+Tested-by: Matt McCutchen <matt@mattmccutchen.net>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/reiserfs/dir.c | 2 --
+ fs/reiserfs/xattr.c | 17 ++++-------------
+ 2 files changed, 4 insertions(+), 15 deletions(-)
+
+--- a/fs/reiserfs/dir.c
++++ b/fs/reiserfs/dir.c
+@@ -45,8 +45,6 @@ static inline bool is_privroot_deh(struc
+ struct reiserfs_de_head *deh)
+ {
+ struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root;
+- if (reiserfs_expose_privroot(dir->d_sb))
+- return 0;
+ return (dir == dir->d_parent && privroot->d_inode &&
+ deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid);
+ }
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -952,21 +952,13 @@ int reiserfs_permission(struct inode *in
+ return generic_permission(inode, mask, NULL);
+ }
+
+-/* This will catch lookups from the fs root to .reiserfs_priv */
+-static int
+-xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name)
++static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd)
+ {
+- struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root;
+- if (container_of(q1, struct dentry, d_name) == priv_root)
+- return -ENOENT;
+- if (q1->len == name->len &&
+- !memcmp(q1->name, name->name, name->len))
+- return 0;
+- return 1;
++ return -EPERM;
+ }
+
+ static const struct dentry_operations xattr_lookup_poison_ops = {
+- .d_compare = xattr_lookup_poison,
++ .d_revalidate = xattr_hide_revalidate,
+ };
+
+ int reiserfs_lookup_privroot(struct super_block *s)
+@@ -980,8 +972,7 @@ int reiserfs_lookup_privroot(struct supe
+ strlen(PRIVROOT_NAME));
+ if (!IS_ERR(dentry)) {
+ REISERFS_SB(s)->priv_root = dentry;
+- if (!reiserfs_expose_privroot(s))
+- s->s_root->d_op = &xattr_lookup_poison_ops;
++ dentry->d_op = &xattr_lookup_poison_ops;
+ if (dentry->d_inode)
+ dentry->d_inode->i_flags |= S_PRIVATE;
+ } else
projects / thirdparty / kernel / stable-queue.git / commitdiff
