git.ipfire.org Git - thirdparty/linux.git/commit

author	Al Viro <viro@zeniv.linux.org.uk>
	Sat, 15 Feb 2025 04:37:58 +0000 (23:37 -0500)
committer	Al Viro <viro@zeniv.linux.org.uk>
	Tue, 17 Jun 2025 21:58:14 +0000 (17:58 -0400)
commit	0d2da2561bdeb459b6c540c2417a15c1f8732e6a
tree	ace92e44f378939e3cdcb75911e7de708a129d2e	tree
parent	28032ef879b6ab073bb8c85f2044edaf6b80c929	commit \| diff

ceph: fix a race with rename() in ceph_mdsc_build_path()

Lift copying the name into callers of ceph_encode_encrypted_dname()
that do not have it already copied; ceph_encode_encrypted_fname()
disappears.

That fixes a UAF in ceph_mdsc_build_path() - while the initial copy
of plaintext into buf is done under ->d_lock, we access the
original name again in ceph_encode_encrypted_fname() and that is
done without any locking. With ceph_encode_encrypted_dname() using
the stable copy the problem goes away.

Tested-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

fs/ceph/caps.c		diff \| blob \| blame \| history
fs/ceph/crypto.c		diff \| blob \| blame \| history
fs/ceph/crypto.h		diff \| blob \| blame \| history
fs/ceph/dir.c		diff \| blob \| blame \| history
fs/ceph/mds_client.c		diff \| blob \| blame \| history