Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix ish-app/ish#2349 stop EACCES truncate with open #2352

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix ish-app/ish#2349 stop EACCES truncate with open #2352

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cb756ea
fix ish-app/ish#2349 by performing a stat before opening the backend …
kuflierl Feb 24, 2024
6d873cd
lock inodes before stating file to eliminate TOCTOU errors
kuflierl Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 19 additions & 14 deletions fs/generic.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,25 @@ struct fd *generic_openat(struct fd *at, const char *path_raw, int flags, int mo
if (err < 0)
return ERR_PTR(err);
struct mount *mount = find_mount_and_trim_path(path);

lock(&inodes_lock); // TODO: don't do this
// get file stats before opening file to facilitate permission checking before the backend opens the file
// opening a file with truncate and then closing it will cause the file contents to be cleared
// this might in theory cause a Time-of-Check to Time-of-Use privilage escalation by replacing the file with a symlink.
struct statbuf stat;
err = mount->fs->stat(mount, path, &stat);
if (err < 0) {
goto pre_fd_error;
}

int accmode;
if (flags & O_RDWR_) accmode = AC_R | AC_W;
else if (flags & O_WRONLY_) accmode = AC_W;
else accmode = AC_R;
err = access_check(&stat, accmode);
if (err < 0)
goto pre_fd_error;

struct fd *fd = mount->fs->open(mount, path, flags, mode);
if (IS_ERR(fd)) {
unlock(&inodes_lock);
Expand All @@ -53,25 +71,11 @@ struct fd *generic_openat(struct fd *at, const char *path_raw, int flags, int mo
}
fd->mount = mount;

struct statbuf stat;
err = fd->mount->fs->fstat(fd, &stat);
if (err < 0) {
unlock(&inodes_lock);
goto error;
}
fd->inode = inode_get_unlocked(mount, stat.inode);
unlock(&inodes_lock);
fd->type = stat.mode & S_IFMT;
fd->flags = flags;

int accmode;
if (flags & O_RDWR_) accmode = AC_R | AC_W;
else if (flags & O_WRONLY_) accmode = AC_W;
else accmode = AC_R;
err = access_check(&stat, accmode);
if (err < 0)
goto error;

assert(!S_ISLNK(fd->type)); // would mean path_normalize didn't do its job
if (S_ISBLK(fd->type) || S_ISCHR(fd->type)) {
int type;
Expand All @@ -96,6 +100,7 @@ struct fd *generic_openat(struct fd *at, const char *path_raw, int flags, int mo

error:
fd_close(fd);
pre_fd_error:
return ERR_PTR(err);
}

Expand Down
Loading