75 lines
2.6 KiB
Diff
75 lines
2.6 KiB
Diff
From c884ff1e458df0e5d801f19b4e847a4673d7471b Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
Date: Wed, 3 Jun 2026 11:48:02 +0200
|
|
Subject: [PATCH] ovl: Fix nested backing file paths
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-179443
|
|
CVE: CVE-2026-46054
|
|
|
|
commit 924577e4f6ca473de1528953a0e13505fae61d7b
|
|
Author: André Almeida <andrealmeid@igalia.com>
|
|
Date: Tue Apr 29 15:38:50 2025 -0300
|
|
|
|
ovl: Fix nested backing file paths
|
|
|
|
When the lowerdir of an overlayfs is a merged directory of another
|
|
overlayfs, ovl_open_realfile() will fail to open the real file and point
|
|
to a lower dentry copy, without the proper parent path. After this,
|
|
d_path() will then display the path incorrectly as if the file is placed
|
|
in the root directory.
|
|
|
|
This bug can be triggered with the following setup:
|
|
|
|
mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work
|
|
mkdir -p ovl-B/upper ovl-B/merge ovl-B/work
|
|
|
|
cp /bin/cat ovl-A/lower/
|
|
|
|
mount -t overlay overlay -o \
|
|
lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \
|
|
ovl-A/merge
|
|
|
|
mount -t overlay overlay -o \
|
|
lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \
|
|
ovl-B/merge
|
|
|
|
ovl-A/merge/cat /proc/self/maps | grep --color cat
|
|
ovl-B/merge/cat /proc/self/maps | grep --color cat
|
|
|
|
The first cat will correctly show `/ovl-A/merge/cat`, while the second
|
|
one shows just `/cat`.
|
|
|
|
To fix that, uses file_user_path() inside of backing_file_open() to get
|
|
the correct file path for the dentry.
|
|
|
|
Co-developed-by: John Schoenick <johns@valvesoftware.com>
|
|
Signed-off-by: John Schoenick <johns@valvesoftware.com>
|
|
Signed-off-by: André Almeida <andrealmeid@igalia.com>
|
|
Fixes: def3ae83da02 ("fs: store real path instead of fake path in backing file f_path")
|
|
Cc: <stable@vger.kernel.org> # v6.7
|
|
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
|
|
|
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
|
|
|
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
|
|
index d85385f37ba6..3bf52eace698 100644
|
|
--- a/fs/overlayfs/file.c
|
|
+++ b/fs/overlayfs/file.c
|
|
@@ -51,8 +51,8 @@ static struct file *ovl_open_realfile(const struct file *file,
|
|
if (!inode_owner_or_capable(real_idmap, realinode))
|
|
flags &= ~O_NOATIME;
|
|
|
|
- realfile = backing_file_open(&file->f_path, flags, realpath,
|
|
- current_cred());
|
|
+ realfile = backing_file_open(file_user_path((struct file *) file),
|
|
+ flags, realpath, current_cred());
|
|
}
|
|
revert_creds(old_cred);
|
|
|
|
--
|
|
2.50.1 (Apple Git-155)
|
|
|