From patchwork Wed Sep 1 16:27:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 505529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-24.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 170D2C00143 for ; Wed, 1 Sep 2021 16:28:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 03BC061056 for ; Wed, 1 Sep 2021 16:28:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245324AbhIAQ3M (ORCPT ); Wed, 1 Sep 2021 12:29:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:45284 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245492AbhIAQ3K (ORCPT ); Wed, 1 Sep 2021 12:29:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D0B1661057; Wed, 1 Sep 2021 16:28:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1630513693; bh=1l5jEvHdot4G9C2tgAfcwtuZl8hOHmoTUws9yq/Bn7I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IaDptvZV0u/apCRlTykTttpc5/i6+h5H96Hvr09MAvh2js9UqxI+meRB6Vamg+cTT YjDHSS6b1vMYQ7suu/91RHiJ6PhTufUJwkiWNAo0hfbkbhKG7ZOIpbfykgBuV/aR/8 beVHoedGMENhjokhEzEj4VLFXvpmtOi29NG4iAMCGP0VYIQgL6K7t3kpJUve7MtvQX F+/KNJpoQqXg+G7o5jOyiI75nxWs3VDHHJSffPQkjsvAzgi3uPfBrmJvOfMVEB7FOe S4k8HhDzlcumZLGxo5MHCEhEHYaQtEYxKIsof7ZzINKl29/o1i9F4IkFp57m286vt2 80p8ewRp781BQ== From: Eric Biggers To: stable@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 5.10 1/4] fscrypt: add fscrypt_symlink_getattr() for computing st_size Date: Wed, 1 Sep 2021 09:27:18 -0700 Message-Id: <20210901162721.138605-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210901162721.138605-1-ebiggers@kernel.org> References: <20210901162721.138605-1-ebiggers@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Biggers commit d18760560593e5af921f51a8c9b64b6109d634c2 upstream. Add a helper function fscrypt_symlink_getattr() which will be called from the various filesystems' ->getattr() methods to read and decrypt the target of encrypted symlinks in order to report the correct st_size. Detailed explanation: As required by POSIX and as documented in various man pages, st_size for a symlink is supposed to be the length of the symlink target. Unfortunately, st_size has always been wrong for encrypted symlinks because st_size is populated from i_size from disk, which intentionally contains the length of the encrypted symlink target. That's slightly greater than the length of the decrypted symlink target (which is the symlink target that userspace usually sees), and usually won't match the length of the no-key encoded symlink target either. This hadn't been fixed yet because reporting the correct st_size would require reading the symlink target from disk and decrypting or encoding it, which historically has been considered too heavyweight to do in ->getattr(). Also historically, the wrong st_size had only broken a test (LTP lstat03) and there were no known complaints from real users. (This is probably because the st_size of symlinks isn't used too often, and when it is, typically it's for a hint for what buffer size to pass to readlink() -- which a slightly-too-large size still works for.) However, a couple things have changed now. First, there have recently been complaints about the current behavior from real users: - Breakage in rpmbuild: https://github.com/rpm-software-management/rpm/issues/1682 https://github.com/google/fscrypt/issues/305 - Breakage in toybox cpio: https://www.mail-archive.com/toybox@lists.landley.net/msg07193.html - Breakage in libgit2: https://issuetracker.google.com/issues/189629152 (on Android public issue tracker, requires login) Second, we now cache decrypted symlink targets in ->i_link. Therefore, taking the performance hit of reading and decrypting the symlink target in ->getattr() wouldn't be as big a deal as it used to be, since usually it will just save having to do the same thing later. Also note that eCryptfs ended up having to read and decrypt symlink targets in ->getattr() as well, to fix this same issue; see commit 3a60a1686f0d ("eCryptfs: Decrypt symlink target for stat size"). So, let's just bite the bullet, and read and decrypt the symlink target in ->getattr() in order to report the correct st_size. Add a function fscrypt_symlink_getattr() which the filesystems will call to do this. (Alternatively, we could store the decrypted size of symlinks on-disk. But there isn't a great place to do so, and encryption is meant to hide the original size to some extent; that property would be lost.) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210702065350.209646-2-ebiggers@kernel.org Signed-off-by: Eric Biggers --- fs/crypto/hooks.c | 44 +++++++++++++++++++++++++++++++++++++++++ include/linux/fscrypt.h | 7 +++++++ 2 files changed, 51 insertions(+) diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c index 061418be4b086..4180371bf8642 100644 --- a/fs/crypto/hooks.c +++ b/fs/crypto/hooks.c @@ -379,3 +379,47 @@ const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, return ERR_PTR(err); } EXPORT_SYMBOL_GPL(fscrypt_get_symlink); + +/** + * fscrypt_symlink_getattr() - set the correct st_size for encrypted symlinks + * @path: the path for the encrypted symlink being queried + * @stat: the struct being filled with the symlink's attributes + * + * Override st_size of encrypted symlinks to be the length of the decrypted + * symlink target (or the no-key encoded symlink target, if the key is + * unavailable) rather than the length of the encrypted symlink target. This is + * necessary for st_size to match the symlink target that userspace actually + * sees. POSIX requires this, and some userspace programs depend on it. + * + * This requires reading the symlink target from disk if needed, setting up the + * inode's encryption key if possible, and then decrypting or encoding the + * symlink target. This makes lstat() more heavyweight than is normally the + * case. However, decrypted symlink targets will be cached in ->i_link, so + * usually the symlink won't have to be read and decrypted again later if/when + * it is actually followed, readlink() is called, or lstat() is called again. + * + * Return: 0 on success, -errno on failure + */ +int fscrypt_symlink_getattr(const struct path *path, struct kstat *stat) +{ + struct dentry *dentry = path->dentry; + struct inode *inode = d_inode(dentry); + const char *link; + DEFINE_DELAYED_CALL(done); + + /* + * To get the symlink target that userspace will see (whether it's the + * decrypted target or the no-key encoded target), we can just get it in + * the same way the VFS does during path resolution and readlink(). + */ + link = READ_ONCE(inode->i_link); + if (!link) { + link = inode->i_op->get_link(dentry, inode, &done); + if (IS_ERR(link)) + return PTR_ERR(link); + } + stat->size = strlen(link); + do_delayed_call(&done); + return 0; +} +EXPORT_SYMBOL_GPL(fscrypt_symlink_getattr); diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h index 8e1d31c959bfa..d0a1b8edfd9db 100644 --- a/include/linux/fscrypt.h +++ b/include/linux/fscrypt.h @@ -252,6 +252,7 @@ int __fscrypt_encrypt_symlink(struct inode *inode, const char *target, const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, unsigned int max_size, struct delayed_call *done); +int fscrypt_symlink_getattr(const struct path *path, struct kstat *stat); static inline void fscrypt_set_ops(struct super_block *sb, const struct fscrypt_operations *s_cop) { @@ -575,6 +576,12 @@ static inline const char *fscrypt_get_symlink(struct inode *inode, return ERR_PTR(-EOPNOTSUPP); } +static inline int fscrypt_symlink_getattr(const struct path *path, + struct kstat *stat) +{ + return -EOPNOTSUPP; +} + static inline void fscrypt_set_ops(struct super_block *sb, const struct fscrypt_operations *s_cop) { From patchwork Wed Sep 1 16:27:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 505527 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A723C4320A for ; Wed, 1 Sep 2021 16:29:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F07FD61057 for ; Wed, 1 Sep 2021 16:29:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245215AbhIAQaF (ORCPT ); Wed, 1 Sep 2021 12:30:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:45286 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245504AbhIAQ3L (ORCPT ); Wed, 1 Sep 2021 12:29:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 079C761056; Wed, 1 Sep 2021 16:28:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1630513694; bh=33RC3YogqXCC1E17dtW915hQmiG+ogGdN4NtjjBgfzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nyxQjtLrs90M6GAWph90hPlvdMFzKjH2KAoFIwP1D1AkzcHjsfaeH2KVIN3a/G6MT xgCSYFRZQ886bKtiJFyL2XACl1ZJd/wTg4boEuzxBIpBrcylVwlnwWVYlOf/lgxn6M 1f/d36rVX9dd6LsPzeqm+dpbmjobDUf9oZRKtqNrQWcxAg5OejsyYMemVEdx3zsUzu vdJTmaa5JdQkfNnHk8gikDvxKyr2osbzTPlStvfae7tXtFvSHntMQKtFN5IZqtTh4J yhr4A5uupXYmPBxEj2s4O33RlAXPdJbzzJY6FgrVDgkiB6atixbf7IAmt59tCOYRsF xBp6PDYJIRakg== From: Eric Biggers To: stable@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 5.10 2/4] ext4: report correct st_size for encrypted symlinks Date: Wed, 1 Sep 2021 09:27:19 -0700 Message-Id: <20210901162721.138605-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210901162721.138605-1-ebiggers@kernel.org> References: <20210901162721.138605-1-ebiggers@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Biggers commit 8c4bca10ceafc43b1ca0a9fab5fa27e13cbce99e upstream. The stat() family of syscalls report the wrong size for encrypted symlinks, which has caused breakage in several userspace programs. Fix this by calling fscrypt_symlink_getattr() after ext4_getattr() for encrypted symlinks. This function computes the correct size by reading and decrypting the symlink target (if it's not already cached). For more details, see the commit which added fscrypt_symlink_getattr(). Fixes: f348c252320b ("ext4 crypto: add symlink encryption") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210702065350.209646-3-ebiggers@kernel.org Signed-off-by: Eric Biggers --- fs/ext4/symlink.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ext4/symlink.c b/fs/ext4/symlink.c index dd05af983092d..a9457fed351ed 100644 --- a/fs/ext4/symlink.c +++ b/fs/ext4/symlink.c @@ -52,10 +52,19 @@ static const char *ext4_encrypted_get_link(struct dentry *dentry, return paddr; } +static int ext4_encrypted_symlink_getattr(const struct path *path, + struct kstat *stat, u32 request_mask, + unsigned int query_flags) +{ + ext4_getattr(path, stat, request_mask, query_flags); + + return fscrypt_symlink_getattr(path, stat); +} + const struct inode_operations ext4_encrypted_symlink_inode_operations = { .get_link = ext4_encrypted_get_link, .setattr = ext4_setattr, - .getattr = ext4_getattr, + .getattr = ext4_encrypted_symlink_getattr, .listxattr = ext4_listxattr, }; From patchwork Wed Sep 1 16:27:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 505528 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EC62C19F3A for ; Wed, 1 Sep 2021 16:28:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85ECB61059 for ; Wed, 1 Sep 2021 16:28:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245298AbhIAQ3M (ORCPT ); Wed, 1 Sep 2021 12:29:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:45286 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245531AbhIAQ3L (ORCPT ); Wed, 1 Sep 2021 12:29:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6297A61059; Wed, 1 Sep 2021 16:28:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1630513694; bh=ufeFbhxKyUYKrRSmcthT4Y2VdtA2h/ddAx00Dkj2THQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IHNqRcE6RuyEMJdPr3gAfHaqAsveuXooYEeExP1YG+vnZ80Qp+zJa3yZRR44ZfrDP WnhSbg+DRNt5rXbtZTHzyzw74uQZwsOwpIPugBMzfKSQTcJ6awFPgNAARD1V0f26Vt aHXeHvZrHCDWyRnH0Z6iG13cn5W3k9QOSz4Q5Z+XFJdiAPdMhC3qW7KuBsgQytm6JA MNqXOqnceGeeCIAzB4LPCD9RWWINkR9YIt/GSF9OBbbWPjfglIJvEFbaLqfbjUJWN0 leqnQdXHqMFGPzvq2E7yg26c0bYm2cjVeXgSg6m89IAK0QBuPQs/TyjO2KBjGrSfnJ pu/VDLSmrQbfw== From: Eric Biggers To: stable@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org Subject: [PATCH 5.10 4/4] ubifs: report correct st_size for encrypted symlinks Date: Wed, 1 Sep 2021 09:27:21 -0700 Message-Id: <20210901162721.138605-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210901162721.138605-1-ebiggers@kernel.org> References: <20210901162721.138605-1-ebiggers@kernel.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Biggers commit 064c734986011390b4d111f1a99372b7f26c3850 upstream. The stat() family of syscalls report the wrong size for encrypted symlinks, which has caused breakage in several userspace programs. Fix this by calling fscrypt_symlink_getattr() after ubifs_getattr() for encrypted symlinks. This function computes the correct size by reading and decrypting the symlink target (if it's not already cached). For more details, see the commit which added fscrypt_symlink_getattr(). Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210702065350.209646-5-ebiggers@kernel.org Signed-off-by: Eric Biggers --- fs/ubifs/file.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c index b77d1637bbbc8..f4826b6da6828 100644 --- a/fs/ubifs/file.c +++ b/fs/ubifs/file.c @@ -1629,6 +1629,16 @@ static const char *ubifs_get_link(struct dentry *dentry, return fscrypt_get_symlink(inode, ui->data, ui->data_len, done); } +static int ubifs_symlink_getattr(const struct path *path, struct kstat *stat, + u32 request_mask, unsigned int query_flags) +{ + ubifs_getattr(path, stat, request_mask, query_flags); + + if (IS_ENCRYPTED(d_inode(path->dentry))) + return fscrypt_symlink_getattr(path, stat); + return 0; +} + const struct address_space_operations ubifs_file_address_operations = { .readpage = ubifs_readpage, .writepage = ubifs_writepage, @@ -1654,7 +1664,7 @@ const struct inode_operations ubifs_file_inode_operations = { const struct inode_operations ubifs_symlink_inode_operations = { .get_link = ubifs_get_link, .setattr = ubifs_setattr, - .getattr = ubifs_getattr, + .getattr = ubifs_symlink_getattr, #ifdef CONFIG_UBIFS_FS_XATTR .listxattr = ubifs_listxattr, #endif