From c884ff1e458df0e5d801f19b4e847a4673d7471b Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Wed, 3 Jun 2026 11:48:02 +0200 Subject: [PATCH] ovl: Fix nested backing file paths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit JIRA: https://issues.redhat.com/browse/RHEL-179443 CVE: CVE-2026-46054 commit 924577e4f6ca473de1528953a0e13505fae61d7b Author: André Almeida Date: Tue Apr 29 15:38:50 2025 -0300 ovl: Fix nested backing file paths When the lowerdir of an overlayfs is a merged directory of another overlayfs, ovl_open_realfile() will fail to open the real file and point to a lower dentry copy, without the proper parent path. After this, d_path() will then display the path incorrectly as if the file is placed in the root directory. This bug can be triggered with the following setup: mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work mkdir -p ovl-B/upper ovl-B/merge ovl-B/work cp /bin/cat ovl-A/lower/ mount -t overlay overlay -o \ lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \ ovl-A/merge mount -t overlay overlay -o \ lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \ ovl-B/merge ovl-A/merge/cat /proc/self/maps | grep --color cat ovl-B/merge/cat /proc/self/maps | grep --color cat The first cat will correctly show `/ovl-A/merge/cat`, while the second one shows just `/cat`. To fix that, uses file_user_path() inside of backing_file_open() to get the correct file path for the dentry. Co-developed-by: John Schoenick Signed-off-by: John Schoenick Signed-off-by: André Almeida Fixes: def3ae83da02 ("fs: store real path instead of fake path in backing file f_path") Cc: # v6.7 Signed-off-by: Miklos Szeredi Signed-off-by: Ondrej Mosnacek diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index d85385f37ba6..3bf52eace698 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -51,8 +51,8 @@ static struct file *ovl_open_realfile(const struct file *file, if (!inode_owner_or_capable(real_idmap, realinode)) flags &= ~O_NOATIME; - realfile = backing_file_open(&file->f_path, flags, realpath, - current_cred()); + realfile = backing_file_open(file_user_path((struct file *) file), + flags, realpath, current_cred()); } revert_creds(old_cred); -- 2.50.1 (Apple Git-155)