Date: Tue, 2 Mar 2021 18:22:36 GMT From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 49c98a4bf3a8 - main - nameicap_check_dotdot: trim tracker on check Message-ID: <202103021822.122IMaaK091816@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=49c98a4bf3a87ace0df99056fa683805c1645e61 commit 49c98a4bf3a87ace0df99056fa683805c1645e61 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2021-02-28 00:15:21 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-03-02 18:21:35 +0000 nameicap_check_dotdot: trim tracker on check Tracker should contain exactly the path from the starting directory to the current lookup point. Otherwise we might not detect some cases of dotdot escape. Consequently, if we are walking up the tree by dotdot lookup, we must remove an entries below the walked directory. Reviewed by: markj Tested by: arichardson, pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D28907 --- sys/kern/vfs_lookup.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index abc01c73e24c..b4280f85c5b6 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -240,8 +240,12 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp) return (ENOTCAPABLE); TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head, nm_link) { - if (dp == nt->dp) + if (dp == nt->dp) { + nt = TAILQ_NEXT(nt, nm_link); + if (nt != NULL) + nameicap_cleanup_from(ndp, nt); return (0); + } } return (ENOTCAPABLE); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103021822.122IMaaK091816>