From: Trond Myklebust trond.myklebust@hammerspace.com
mainline inclusion from mainline-v5.16 commit ac795161c93699d600db16c1a8cc23a65a1eceaf category: bugfix bugzilla: 186205 CVE: CVE-2022-24448
-----------------------------------------------
If the application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() will punt to doing a regular lookup. If the server then returns a regular file, we will happily return a file descriptor with uninitialised open state.
The fix is to return the expected ENOTDIR error in these cases.
Reported-by: Lyu Tao tao.lyu@epfl.ch Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Anna Schumaker Anna.Schumaker@Netapp.com Signed-off-by: Zhang Xiaoxu zhangxiaoxu5@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- fs/nfs/dir.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index ff9129c0572d9..757a83556b003 100644 --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -1637,6 +1637,19 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
no_open: res = nfs_lookup(dir, dentry, lookup_flags); + if (!res) { + inode = d_inode(dentry); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); + } + } if (switched) { d_lookup_done(dentry); if (!res)