Skip to content

Commit 19e1dbd

Browse files
author
Al Viro
committed
fuse_dentry_revalidate(): use stable parent inode and name passed by caller
No need to mess with dget_parent() for the former; for the latter we really should not rely upon ->d_name.name remaining stable - it's a real-life UAF. Reviewed-by: Jeff Layton <[email protected]> Acked-by: Miklos Szeredi <[email protected]> Signed-off-by: Al Viro <[email protected]>
1 parent 4643611 commit 19e1dbd

File tree

1 file changed

+7
-10
lines changed

1 file changed

+7
-10
lines changed

fs/fuse/dir.c

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -175,9 +175,11 @@ static void fuse_lookup_init(struct fuse_conn *fc, struct fuse_args *args,
175175
memset(outarg, 0, sizeof(struct fuse_entry_out));
176176
args->opcode = FUSE_LOOKUP;
177177
args->nodeid = nodeid;
178-
args->in_numargs = 1;
179-
args->in_args[0].size = name->len + 1;
178+
args->in_numargs = 2;
179+
args->in_args[0].size = name->len;
180180
args->in_args[0].value = name->name;
181+
args->in_args[1].size = 1;
182+
args->in_args[1].value = "";
181183
args->out_numargs = 1;
182184
args->out_args[0].size = sizeof(struct fuse_entry_out);
183185
args->out_args[0].value = outarg;
@@ -196,7 +198,6 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name,
196198
struct dentry *entry, unsigned int flags)
197199
{
198200
struct inode *inode;
199-
struct dentry *parent;
200201
struct fuse_mount *fm;
201202
struct fuse_inode *fi;
202203
int ret;
@@ -228,11 +229,9 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name,
228229

229230
attr_version = fuse_get_attr_version(fm->fc);
230231

231-
parent = dget_parent(entry);
232-
fuse_lookup_init(fm->fc, &args, get_node_id(d_inode(parent)),
233-
&entry->d_name, &outarg);
232+
fuse_lookup_init(fm->fc, &args, get_node_id(dir),
233+
name, &outarg);
234234
ret = fuse_simple_request(fm, &args);
235-
dput(parent);
236235
/* Zero nodeid is same as -ENOENT */
237236
if (!ret && !outarg.nodeid)
238237
ret = -ENOENT;
@@ -266,9 +265,7 @@ static int fuse_dentry_revalidate(struct inode *dir, const struct qstr *name,
266265
if (test_bit(FUSE_I_INIT_RDPLUS, &fi->state))
267266
return -ECHILD;
268267
} else if (test_and_clear_bit(FUSE_I_INIT_RDPLUS, &fi->state)) {
269-
parent = dget_parent(entry);
270-
fuse_advise_use_readdirplus(d_inode(parent));
271-
dput(parent);
268+
fuse_advise_use_readdirplus(dir);
272269
}
273270
}
274271
ret = 1;

0 commit comments

Comments
 (0)