From 76179b4dae212143faa023b71e44554c2854c2c0 Mon Sep 17 00:00:00 2001

From: Zheng Liang <zhengliang6@huawei.com>

Date: Fri, 24 Sep 2021 09:16:27 +0800

Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename()

Git-commit: a295aef603e109a47af355477326bd41151765b6

Patch-mainline: v5.15-rc5

References: CVE-2021-20321 bsc#1191647

The following reproducer

  mkdir lower upper work merge

  touch lower/old

  touch lower/new

  mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge

  rm merge/new

  mv merge/old merge/new & unlink upper/new

may result in this race:

PROCESS A:

  rename("merge/old", "merge/new");

  overwrite=true,ovl_lower_positive(old)=true,

  ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE

PROCESS B:

  unlink("upper/new");

PROCESS A:

  lookup newdentry in new_upperdir

  call vfs_rename() with negative newdentry and RENAME_EXCHANGE

Fix by adding the missing check for negative newdentry.

Signed-off-by: Zheng Liang <zhengliang6@huawei.com>

Fixes: e9be9d5e76e3 ("overlay filesystem")

Cc: <stable@vger.kernel.org> # v3.18

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

Acked-by: David Disseldorp <ddiss@suse.de>

---

 fs/overlayfs/dir.c | 10 +++++++---

 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c

index 6509ec3cb373..3284363ebdfb 100644

--- a/fs/overlayfs/dir.c

+++ b/fs/overlayfs/dir.c

@@ -1160,9 +1160,13 @@ static int ovl_rename(struct inode *olddir, struct dentry *old,

 				goto out_dput;

 		}

 	} else {

-		if (!d_is_negative(newdentry) &&

-		    (!new_opaque || !ovl_is_whiteout(newdentry)))

-			goto out_dput;

+		if (!d_is_negative(newdentry)) {

+			if (!new_opaque || !ovl_is_whiteout(newdentry))

+				goto out_dput;

+		} else {

+			if (flags & RENAME_EXCHANGE)

+				goto out_dput;

+		}

 	}

 	if (olddentry == trap)

-- 

2.34.1