ovl: check permission to open real file

BugLink: https://bugs.launchpad.net/bugs/1894980 Call inode_permission() on real inode before opening regular file on one of the underlying layers. In some cases ovl_permission() already checks access to an underlying file, but it misses the metacopy case, and possibly other ones as well. Removing the redundant permission check from ovl_permission() should be considered later. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> (backported from commit 05acefb) [ saf: resolve conflicts with code added to support mounts over shiftfs ] CVE-2020-16120 Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com> Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
mariux64 · Oct 9, 2020 · 044d4e2 · 044d4e2
1 parent 0e75dbd
commit 044d4e2
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
@@ -41,11 +41,23 @@ static struct file *ovl_open_realfile(const struct file *file,
 	struct file *realfile;
 	const struct cred *old_cred;
 	int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY;
+	int acc_mode = ACC_MODE(flags);
+	int err;
+
+	if (flags & O_APPEND)
+		acc_mode |= MAY_APPEND;
 
 	old_cred = ovl_override_creds(inode->i_sb);
-	ovl_path_real(file->f_path.dentry, &realpath);
-	realfile = open_with_fake_path(&realpath, flags, realinode,
-				       current_cred());
+	err = inode_permission(realinode, MAY_OPEN | acc_mode);
+	if (err) {
+		realfile = ERR_PTR(err);
+	} else if (!inode_owner_or_capable(realinode)) {
+		realfile = ERR_PTR(-EPERM);
+	} else {
+		ovl_path_real(file->f_path.dentry, &realpath);
+		realfile = open_with_fake_path(&realpath, flags, realinode,
+					       current_cred());
+	}
 	revert_creds(old_cred);
 
 	pr_debug("open(%p[%pD2/%c], 0%o) -> (%p, 0%o)\n",