diff options
| author | Jamie Liu <jamieliu@google.com> | 2019-04-25 16:03:32 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2019-04-25 16:05:13 -0700 |
| commit | 6b76c172b48ecb2c342882c0fe6474b2b973dad0 (patch) | |
| tree | 61295be888beb8cb9c024aad03b9debe44fc2e32 /pkg/sentry/fs/ramfs | |
| parent | 72197810405a462386ded05d3c7c60c320289223 (diff) | |
Don't enforce NAME_MAX in fs.Dirent.walk().
Maximum filename length is filesystem-dependent, and obtained via
statfs::f_namelen. This limit is usually 255 bytes (NAME_MAX), but not
always. For example, VFAT supports filenames of up to 255... UCS-2
characters, which Linux conservatively takes to mean UTF-8-encoded
bytes: fs/fat/inode.c:fat_statfs(), FAT_LFN_LEN * NLS_MAX_CHARSET_SIZE.
As a result, Linux's VFS does not enforce NAME_MAX:
$ rg --maxdepth=1 '\WNAME_MAX\W' fs/ include/linux/
fs/libfs.c
38: buf->f_namelen = NAME_MAX;
64: if (dentry->d_name.len > NAME_MAX)
include/linux/relay.h
74: char base_filename[NAME_MAX]; /* saved base filename */
include/linux/fscrypt.h
149: * filenames up to NAME_MAX bytes, since base64 encoding expands the length.
include/linux/exportfs.h
176: * understanding that it is already pointing to a a %NAME_MAX+1 sized
Remove this check from core VFS, and add it to ramfs (and by extension
tmpfs), where it is actually applicable:
mm/shmem.c:shmem_dir_inode_operations.lookup == simple_lookup *does*
enforce NAME_MAX.
PiperOrigin-RevId: 245324748
Change-Id: I17567c4324bfd60e31746a5270096e75db963fac
Diffstat (limited to 'pkg/sentry/fs/ramfs')
| -rw-r--r-- | pkg/sentry/fs/ramfs/dir.go | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/pkg/sentry/fs/ramfs/dir.go b/pkg/sentry/fs/ramfs/dir.go index 011cf3a16..159fd2981 100644 --- a/pkg/sentry/fs/ramfs/dir.go +++ b/pkg/sentry/fs/ramfs/dir.go @@ -192,6 +192,10 @@ func (d *Dir) removeChildLocked(ctx context.Context, name string) (*fs.Inode, er // Remove removes the named non-directory. func (d *Dir) Remove(ctx context.Context, _ *fs.Inode, name string) error { + if len(name) > linux.NAME_MAX { + return syserror.ENAMETOOLONG + } + d.mu.Lock() defer d.mu.Unlock() inode, err := d.removeChildLocked(ctx, name) @@ -206,6 +210,10 @@ func (d *Dir) Remove(ctx context.Context, _ *fs.Inode, name string) error { // RemoveDirectory removes the named directory. func (d *Dir) RemoveDirectory(ctx context.Context, _ *fs.Inode, name string) error { + if len(name) > linux.NAME_MAX { + return syserror.ENAMETOOLONG + } + d.mu.Lock() defer d.mu.Unlock() @@ -234,6 +242,10 @@ func (d *Dir) RemoveDirectory(ctx context.Context, _ *fs.Inode, name string) err // Lookup loads an inode at p into a Dirent. func (d *Dir) Lookup(ctx context.Context, _ *fs.Inode, p string) (*fs.Dirent, error) { + if len(p) > linux.NAME_MAX { + return nil, syserror.ENAMETOOLONG + } + d.mu.Lock() defer d.mu.Unlock() @@ -265,6 +277,10 @@ func (d *Dir) walkLocked(ctx context.Context, p string) (*fs.Inode, error) { // createInodeOperationsCommon creates a new child node at this dir by calling // makeInodeOperations. It is the common logic for creating a new child. func (d *Dir) createInodeOperationsCommon(ctx context.Context, name string, makeInodeOperations func() (*fs.Inode, error)) (*fs.Inode, error) { + if len(name) > linux.NAME_MAX { + return nil, syserror.ENAMETOOLONG + } + d.mu.Lock() defer d.mu.Unlock() @@ -314,6 +330,10 @@ func (d *Dir) CreateLink(ctx context.Context, dir *fs.Inode, oldname, newname st // CreateHardLink creates a new hard link. func (d *Dir) CreateHardLink(ctx context.Context, dir *fs.Inode, target *fs.Inode, name string) error { + if len(name) > linux.NAME_MAX { + return syserror.ENAMETOOLONG + } + d.mu.Lock() defer d.mu.Unlock() @@ -465,6 +485,9 @@ func Rename(ctx context.Context, oldParent fs.InodeOperations, oldName string, n if !ok { return syserror.EXDEV } + if len(newName) > linux.NAME_MAX { + return syserror.ENAMETOOLONG + } np.mu.Lock() defer np.mu.Unlock() |