Skip to content

GitLab

Switch branch/tag
History Find file
Clone
fs: create and use seq_show_option for escaping
Kees Cook authored 
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g.  new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files.  This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else.  This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.

Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink).  Imagine the use
of "sudo" is something more sneaky:

  $ BASE="ovl"
  $ MNT="$BASE/mnt"
  $ LOW="$BASE/lower"
  $ UP="$BASE/upper"
  $ WORK="$BASE/work/ 0 0
  none /proc fuse.pwn user_id=1000"
  $ mkdir -p "$LOW" "$UP" "$WORK"
  $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" no...
a068acf2
Name Last commit Last update
..
cluster ocfs2: use 64bit variables to track heartbeat time
dlm ocfs2: avoid access invalid address when read o2dlm debug messages
dlmfs VFS: normal filesystems (and lustre): d_inode() annotations
Kconfig ocfs2: Make OCFS2_FS depend on CONFIGFS_FS
Makefile ocfs2: remove versioning information
acl.c ocfs2: take inode lock in ocfs2_iop_set/get_acl()
acl.h ocfs2: use generic posix ACL infrastructure
alloc.c ocfs2: clean up redundant NULL checks before kfree
alloc.h ocfs2: reflink: fix slow unlink for refcounted file
aops.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort
aops.h ocfs2: remove OCFS2_IOCB_SEM lock type in direct io
blockcheck.c ocfs2: kill endianness abuses in blockcheck.c
blockcheck.h ocfs2: Add statistics for the checksum and ecc operations.
buffer_head_io.c ocfs2: clear the rest of the buffers on error
buffer_head_io.h ocfs2: Take the inode out of the metadata read/write paths.
dcache.c VFS: normal filesystems (and lustre): d_inode() annotations
dcache.h ocfs2: revert iput deferring code in ocfs2_drop_dentry_lock
dir.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort
dir.h VFS: normal filesystems (and lustre): d_inode() annotations
dlmglue.c ocfs2: remove unneeded code in ocfs2_dlm_init
dlmglue.h ocfs2: avoid blocking in ocfs2_mark_lockres_freeing() in downconvert thread
export.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
export.h exportfs: make struct export_operations const
extent_map.c ocfs2: neaten do_error, ocfs2_error and ocfs2_abort
extent_map.h ocfs2: Implement llseek()
file.c
file.h
heartbeat.c
heartbeat.h
inode.c
inode.h
ioctl.c
ioctl.h
journal.c
journal.h
localalloc.c
localalloc.h
locks.c
locks.h
mmap.c
mmap.h
move_extents.c
move_extents.h
namei.c
namei.h
ocfs1_fs_compat.h
ocfs2.h
ocfs2_fs.h
ocfs2_ioctl.h
ocfs2_lockid.h
ocfs2_lockingver.h
ocfs2_trace.h
quota.h
quota_global.c
quota_local.c
refcounttree.c
refcounttree.h
reservations.c
reservations.h
resize.c
resize.h
slot_map.c
slot_map.h
stack_o2cb.c
stack_user.c
stackglue.c
stackglue.h
suballoc.c
suballoc.h
super.c
super.h
symlink.c
symlink.h
sysfile.c
sysfile.h
uptodate.c
uptodate.h
xattr.c
xattr.h