From: Christian Brauner <brauner@kernel.org>
Date: Thu, 12 Jun 2025 13:25:21 +0000 (+0200)
Subject: coredump: validate socket path in coredump_parse()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6dfc06d328b70af22c577bb908c97f8841b9f4fc;p=thirdparty%2Fkernel%2Fstable.git

coredump: validate socket path in coredump_parse()

properly again. Someone might have modified the buffer concurrently.

Link: https://lore.kernel.org/20250612-work-coredump-massage-v1-7-315c0c34ba94@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
---

diff --git a/fs/coredump.c b/fs/coredump.c
index 8437bdc26d081..52efd1b342615 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -296,6 +296,17 @@ static bool coredump_parse(struct core_name *cn, struct coredump_params *cprm,
 			return false;
 		}
 
+		/* Must not contain ".." in the path. */
+		if (name_contains_dotdot(cn->corename)) {
+			coredump_report_failure("Coredump socket may not %s contain '..' spaces", cn->corename);
+			return false;
+		}
+
+		if (strlen(cn->corename) >= UNIX_PATH_MAX) {
+			coredump_report_failure("Coredump socket path %s too long", cn->corename);
+			return false;
+		}
+
 		/*
 		 * Currently no need to parse any other options.
 		 * Relevant information can be retrieved from the peer