kernel/SOURCES/1337-ovl-fix-nested-backing-file-paths.patch

75 lines
2.6 KiB
Diff

From c884ff1e458df0e5d801f19b4e847a4673d7471b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 3 Jun 2026 11:48:02 +0200
Subject: [PATCH] ovl: Fix nested backing file paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
JIRA: https://issues.redhat.com/browse/RHEL-179443
CVE: CVE-2026-46054
commit 924577e4f6ca473de1528953a0e13505fae61d7b
Author: André Almeida <andrealmeid@igalia.com>
Date: Tue Apr 29 15:38:50 2025 -0300
ovl: Fix nested backing file paths
When the lowerdir of an overlayfs is a merged directory of another
overlayfs, ovl_open_realfile() will fail to open the real file and point
to a lower dentry copy, without the proper parent path. After this,
d_path() will then display the path incorrectly as if the file is placed
in the root directory.
This bug can be triggered with the following setup:
mkdir -p ovl-A/lower ovl-A/upper ovl-A/merge ovl-A/work
mkdir -p ovl-B/upper ovl-B/merge ovl-B/work
cp /bin/cat ovl-A/lower/
mount -t overlay overlay -o \
lowerdir=ovl-A/lower,upperdir=ovl-A/upper,workdir=ovl-A/work \
ovl-A/merge
mount -t overlay overlay -o \
lowerdir=ovl-A/merge,upperdir=ovl-B/upper,workdir=ovl-B/work \
ovl-B/merge
ovl-A/merge/cat /proc/self/maps | grep --color cat
ovl-B/merge/cat /proc/self/maps | grep --color cat
The first cat will correctly show `/ovl-A/merge/cat`, while the second
one shows just `/cat`.
To fix that, uses file_user_path() inside of backing_file_open() to get
the correct file path for the dentry.
Co-developed-by: John Schoenick <johns@valvesoftware.com>
Signed-off-by: John Schoenick <johns@valvesoftware.com>
Signed-off-by: André Almeida <andrealmeid@igalia.com>
Fixes: def3ae83da02 ("fs: store real path instead of fake path in backing file f_path")
Cc: <stable@vger.kernel.org> # v6.7
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index d85385f37ba6..3bf52eace698 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -51,8 +51,8 @@ static struct file *ovl_open_realfile(const struct file *file,
if (!inode_owner_or_capable(real_idmap, realinode))
flags &= ~O_NOATIME;
- realfile = backing_file_open(&file->f_path, flags, realpath,
- current_cred());
+ realfile = backing_file_open(file_user_path((struct file *) file),
+ flags, realpath, current_cred());
}
revert_creds(old_cred);
--
2.50.1 (Apple Git-155)