ntfs: serialize volume label accesses

Protect vol->volume_label with a mutex and snaphost the label before
copy_to_user. This prevent a use-after-free when FS_IOC_SETFSLABEL
replaces the vol->volume_label and FS_IOC_GETTSLABEL reads it
concurrently.

Cc: stable@vger.kernel.org # v7.1
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
index e8bea22b81a75564647b9a5306f3ea7c002094d9..264cf8404385c15bf9de8288f519f2cc629af904 100644 (file)
--- a/fs/ntfs/file.c
+++ b/fs/ntfs/file.c
@@ -707,12 +707,21 @@ static int ntfs_ioctl_get_volume_label(struct file *filp, unsigned long arg)
 {
        struct ntfs_volume *vol = NTFS_SB(file_inode(filp)->i_sb);
        char __user *buf = (char __user *)arg;
+       char label[FSLABEL_MAX];
+       ssize_t len;
 
+       mutex_lock(&vol->volume_label_lock);
        if (!vol->volume_label) {
-               if (copy_to_user(buf, "", 1))
-                       return -EFAULT;
-       } else if (copy_to_user(buf, vol->volume_label,
-                               MIN(FSLABEL_MAX, strlen(vol->volume_label) + 1)))
+               label[0] = '\0';
+               len = 0;
+       } else {
+               len = strscpy(label, vol->volume_label, sizeof(label));
+               if (len == -E2BIG)
+                       len = FSLABEL_MAX - 1;
+       }
+       mutex_unlock(&vol->volume_label_lock);
+
+       if (copy_to_user(buf, label, len + 1))
                return -EFAULT;
        return 0;
 }

diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
index 2a5ad7d56bc268251fa89ab03079b030fd02c3f9..045656fa44f8744c0945dcde06abfb3b839fd356 100644 (file)
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -452,17 +452,23 @@ int ntfs_write_volume_label(struct ntfs_volume *vol, char *label)
        ret = ntfs_resident_attr_record_add(vol_ni, AT_VOLUME_NAME, AT_UNNAMED, 0,
                                            (u8 *)uname, uname_len * sizeof(__le16), 0);
 out:
-       mutex_unlock(&vol_ni->mrec_lock);
-       kvfree(uname);
-
        if (ret >= 0) {
-               kfree(vol->volume_label);
+               char *old_label;
+
+               mutex_lock(&vol->volume_label_lock);
+               old_label = vol->volume_label;
                vol->volume_label = new_label;
+               mutex_unlock(&vol->volume_label_lock);
+
+               kfree(old_label);
                mark_inode_dirty_sync(vol->vol_ino);
                ret = 0;
-       } else {
-               kfree(new_label);
        }
+       mutex_unlock(&vol_ni->mrec_lock);
+       kvfree(uname);
+
+       if (ret < 0)
+               kfree(new_label);
        return ret;
 }
 
@@ -2508,6 +2514,7 @@ static int ntfs_init_fs_context(struct fs_context *fc)
        NVolSetCaseSensitive(vol);
        init_rwsem(&vol->mftbmp_lock);
        init_rwsem(&vol->lcnbmp_lock);
+       mutex_init(&vol->volume_label_lock);
 
        fc->s_fs_info = vol;
        fc->ops = &ntfs_context_ops;

diff --git a/fs/ntfs/volume.h b/fs/ntfs/volume.h
index e13e1423b2a926f8193a6ad6b883f35adfced32b..3348394dbc0d3c3f129d96b6f3f27fa0472cf62c 100644 (file)
--- a/fs/ntfs/volume.h
+++ b/fs/ntfs/volume.h
@@ -72,6 +72,7 @@
  * @vol_flags: Volume flags.
  * @major_ver: Ntfs major version of volume.
  * @minor_ver: Ntfs minor version of volume.
+ * @volume_label_lock: protects @volume_label.
  * @volume_label: volume label.
  * @root_ino: The VFS inode of the root directory.
  * @secure_ino: The VFS inode of $Secure (NTFS3.0+ only, otherwise NULL).
@@ -131,6 +132,7 @@ struct ntfs_volume {
        struct inode *logfile_ino;
        struct inode *lcnbmp_ino;
        struct rw_semaphore lcnbmp_lock;
+       struct mutex volume_label_lock;
        struct inode *vol_ino;
        __le16 vol_flags;
        u8 major_ver;