From owner-dev-commits-src-all@freebsd.org Tue Mar 2 18:22:37 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C76CE54B09B; Tue, 2 Mar 2021 18:22:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dqlq12r1Tz4qKT; Tue, 2 Mar 2021 18:22:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0FC991B637; Tue, 2 Mar 2021 18:22:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 122IMaL7091817; Tue, 2 Mar 2021 18:22:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 122IMaaK091816; Tue, 2 Mar 2021 18:22:36 GMT (envelope-from git) Date: Tue, 2 Mar 2021 18:22:36 GMT Message-Id: <202103021822.122IMaaK091816@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Konstantin Belousov Subject: git: 49c98a4bf3a8 - main - nameicap_check_dotdot: trim tracker on check MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kib X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 49c98a4bf3a87ace0df99056fa683805c1645e61 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2021 18:22:38 -0000 The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=49c98a4bf3a87ace0df99056fa683805c1645e61 commit 49c98a4bf3a87ace0df99056fa683805c1645e61 Author: Konstantin Belousov AuthorDate: 2021-02-28 00:15:21 +0000 Commit: Konstantin Belousov CommitDate: 2021-03-02 18:21:35 +0000 nameicap_check_dotdot: trim tracker on check Tracker should contain exactly the path from the starting directory to the current lookup point. Otherwise we might not detect some cases of dotdot escape. Consequently, if we are walking up the tree by dotdot lookup, we must remove an entries below the walked directory. Reviewed by: markj Tested by: arichardson, pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D28907 --- sys/kern/vfs_lookup.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index abc01c73e24c..b4280f85c5b6 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -240,8 +240,12 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp) return (ENOTCAPABLE); TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head, nm_link) { - if (dp == nt->dp) + if (dp == nt->dp) { + nt = TAILQ_NEXT(nt, nm_link); + if (nt != NULL) + nameicap_cleanup_from(ndp, nt); return (0); + } } return (ENOTCAPABLE); }