xref: /openbmc/linux/fs/readdir.c (revision 0e73f1ba602d953ee8ceda5cea3a381bf212b80b)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  linux/fs/readdir.c
4  *
5  *  Copyright (C) 1995  Linus Torvalds
6  */
7 
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
12 #include <linux/mm.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
16 #include <linux/fs.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
24 
25 #include <asm/unaligned.h>
26 
27 /*
28  * Some filesystems were never converted to '->iterate_shared()'
29  * and their directory iterators want the inode lock held for
30  * writing. This wrapper allows for converting from the shared
31  * semantics to the exclusive inode use.
32  */
33 int wrap_directory_iterator(struct file *file,
34 			    struct dir_context *ctx,
35 			    int (*iter)(struct file *, struct dir_context *))
36 {
37 	struct inode *inode = file_inode(file);
38 	int ret;
39 
40 	/*
41 	 * We'd love to have an 'inode_upgrade_trylock()' operation,
42 	 * see the comment in mmap_upgrade_trylock() in mm/memory.c.
43 	 *
44 	 * But considering this is for "filesystems that never got
45 	 * converted", it really doesn't matter.
46 	 *
47 	 * Also note that since we have to return with the lock held
48 	 * for reading, we can't use the "killable()" locking here,
49 	 * since we do need to get the lock even if we're dying.
50 	 *
51 	 * We could do the write part killably and then get the read
52 	 * lock unconditionally if it mattered, but see above on why
53 	 * this does the very simplistic conversion.
54 	 */
55 	up_read(&inode->i_rwsem);
56 	down_write(&inode->i_rwsem);
57 
58 	/*
59 	 * Since we dropped the inode lock, we should do the
60 	 * DEADDIR test again. See 'iterate_dir()' below.
61 	 *
62 	 * Note that we don't need to re-do the f_pos games,
63 	 * since the file must be locked wrt f_pos anyway.
64 	 */
65 	ret = -ENOENT;
66 	if (!IS_DEADDIR(inode))
67 		ret = iter(file, ctx);
68 
69 	downgrade_write(&inode->i_rwsem);
70 	return ret;
71 }
72 EXPORT_SYMBOL(wrap_directory_iterator);
73 
74 /*
75  * Note the "unsafe_put_user() semantics: we goto a
76  * label for errors.
77  */
78 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do {	\
79 	char __user *dst = (_dst);				\
80 	const char *src = (_src);				\
81 	size_t len = (_len);					\
82 	unsafe_put_user(0, dst+len, label);			\
83 	unsafe_copy_to_user(dst, src, len, label);		\
84 } while (0)
85 
86 
87 int iterate_dir(struct file *file, struct dir_context *ctx)
88 {
89 	struct inode *inode = file_inode(file);
90 	int res = -ENOTDIR;
91 
92 	if (!file->f_op->iterate_shared)
93 		goto out;
94 
95 	res = security_file_permission(file, MAY_READ);
96 	if (res)
97 		goto out;
98 
99 	res = down_read_killable(&inode->i_rwsem);
100 	if (res)
101 		goto out;
102 
103 	res = -ENOENT;
104 	if (!IS_DEADDIR(inode)) {
105 		ctx->pos = file->f_pos;
106 		res = file->f_op->iterate_shared(file, ctx);
107 		file->f_pos = ctx->pos;
108 		fsnotify_access(file);
109 		file_accessed(file);
110 	}
111 	inode_unlock_shared(inode);
112 out:
113 	return res;
114 }
115 EXPORT_SYMBOL(iterate_dir);
116 
117 /*
118  * POSIX says that a dirent name cannot contain NULL or a '/'.
119  *
120  * It's not 100% clear what we should really do in this case.
121  * The filesystem is clearly corrupted, but returning a hard
122  * error means that you now don't see any of the other names
123  * either, so that isn't a perfect alternative.
124  *
125  * And if you return an error, what error do you use? Several
126  * filesystems seem to have decided on EUCLEAN being the error
127  * code for EFSCORRUPTED, and that may be the error to use. Or
128  * just EIO, which is perhaps more obvious to users.
129  *
130  * In order to see the other file names in the directory, the
131  * caller might want to make this a "soft" error: skip the
132  * entry, and return the error at the end instead.
133  *
134  * Note that this should likely do a "memchr(name, 0, len)"
135  * check too, since that would be filesystem corruption as
136  * well. However, that case can't actually confuse user space,
137  * which has to do a strlen() on the name anyway to find the
138  * filename length, and the above "soft error" worry means
139  * that it's probably better left alone until we have that
140  * issue clarified.
141  *
142  * Note the PATH_MAX check - it's arbitrary but the real
143  * kernel limit on a possible path component, not NAME_MAX,
144  * which is the technical standard limit.
145  */
146 static int verify_dirent_name(const char *name, int len)
147 {
148 	if (len <= 0 || len >= PATH_MAX)
149 		return -EIO;
150 	if (memchr(name, '/', len))
151 		return -EIO;
152 	return 0;
153 }
154 
155 /*
156  * Traditional linux readdir() handling..
157  *
158  * "count=1" is a special case, meaning that the buffer is one
159  * dirent-structure in size and that the code can't handle more
160  * anyway. Thus the special "fillonedir()" function for that
161  * case (the low-level handlers don't need to care about this).
162  */
163 
164 #ifdef __ARCH_WANT_OLD_READDIR
165 
166 struct old_linux_dirent {
167 	unsigned long	d_ino;
168 	unsigned long	d_offset;
169 	unsigned short	d_namlen;
170 	char		d_name[];
171 };
172 
173 struct readdir_callback {
174 	struct dir_context ctx;
175 	struct old_linux_dirent __user * dirent;
176 	int result;
177 };
178 
179 static bool fillonedir(struct dir_context *ctx, const char *name, int namlen,
180 		      loff_t offset, u64 ino, unsigned int d_type)
181 {
182 	struct readdir_callback *buf =
183 		container_of(ctx, struct readdir_callback, ctx);
184 	struct old_linux_dirent __user * dirent;
185 	unsigned long d_ino;
186 
187 	if (buf->result)
188 		return false;
189 	buf->result = verify_dirent_name(name, namlen);
190 	if (buf->result)
191 		return false;
192 	d_ino = ino;
193 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
194 		buf->result = -EOVERFLOW;
195 		return false;
196 	}
197 	buf->result++;
198 	dirent = buf->dirent;
199 	if (!user_write_access_begin(dirent,
200 			(unsigned long)(dirent->d_name + namlen + 1) -
201 				(unsigned long)dirent))
202 		goto efault;
203 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
204 	unsafe_put_user(offset, &dirent->d_offset, efault_end);
205 	unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
206 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
207 	user_write_access_end();
208 	return true;
209 efault_end:
210 	user_write_access_end();
211 efault:
212 	buf->result = -EFAULT;
213 	return false;
214 }
215 
216 SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
217 		struct old_linux_dirent __user *, dirent, unsigned int, count)
218 {
219 	int error;
220 	struct fd f = fdget_pos(fd);
221 	struct readdir_callback buf = {
222 		.ctx.actor = fillonedir,
223 		.dirent = dirent
224 	};
225 
226 	if (!f.file)
227 		return -EBADF;
228 
229 	error = iterate_dir(f.file, &buf.ctx);
230 	if (buf.result)
231 		error = buf.result;
232 
233 	fdput_pos(f);
234 	return error;
235 }
236 
237 #endif /* __ARCH_WANT_OLD_READDIR */
238 
239 /*
240  * New, all-improved, singing, dancing, iBCS2-compliant getdents()
241  * interface.
242  */
243 struct linux_dirent {
244 	unsigned long	d_ino;
245 	unsigned long	d_off;
246 	unsigned short	d_reclen;
247 	char		d_name[];
248 };
249 
250 struct getdents_callback {
251 	struct dir_context ctx;
252 	struct linux_dirent __user * current_dir;
253 	int prev_reclen;
254 	int count;
255 	int error;
256 };
257 
258 static bool filldir(struct dir_context *ctx, const char *name, int namlen,
259 		   loff_t offset, u64 ino, unsigned int d_type)
260 {
261 	struct linux_dirent __user *dirent, *prev;
262 	struct getdents_callback *buf =
263 		container_of(ctx, struct getdents_callback, ctx);
264 	unsigned long d_ino;
265 	int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
266 		sizeof(long));
267 	int prev_reclen;
268 
269 	buf->error = verify_dirent_name(name, namlen);
270 	if (unlikely(buf->error))
271 		return false;
272 	buf->error = -EINVAL;	/* only used if we fail.. */
273 	if (reclen > buf->count)
274 		return false;
275 	d_ino = ino;
276 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
277 		buf->error = -EOVERFLOW;
278 		return false;
279 	}
280 	prev_reclen = buf->prev_reclen;
281 	if (prev_reclen && signal_pending(current))
282 		return false;
283 	dirent = buf->current_dir;
284 	prev = (void __user *) dirent - prev_reclen;
285 	if (!user_write_access_begin(prev, reclen + prev_reclen))
286 		goto efault;
287 
288 	/* This might be 'dirent->d_off', but if so it will get overwritten */
289 	unsafe_put_user(offset, &prev->d_off, efault_end);
290 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
291 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
292 	unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
293 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
294 	user_write_access_end();
295 
296 	buf->current_dir = (void __user *)dirent + reclen;
297 	buf->prev_reclen = reclen;
298 	buf->count -= reclen;
299 	return true;
300 efault_end:
301 	user_write_access_end();
302 efault:
303 	buf->error = -EFAULT;
304 	return false;
305 }
306 
307 SYSCALL_DEFINE3(getdents, unsigned int, fd,
308 		struct linux_dirent __user *, dirent, unsigned int, count)
309 {
310 	struct fd f;
311 	struct getdents_callback buf = {
312 		.ctx.actor = filldir,
313 		.count = count,
314 		.current_dir = dirent
315 	};
316 	int error;
317 
318 	f = fdget_pos(fd);
319 	if (!f.file)
320 		return -EBADF;
321 
322 	error = iterate_dir(f.file, &buf.ctx);
323 	if (error >= 0)
324 		error = buf.error;
325 	if (buf.prev_reclen) {
326 		struct linux_dirent __user * lastdirent;
327 		lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
328 
329 		if (put_user(buf.ctx.pos, &lastdirent->d_off))
330 			error = -EFAULT;
331 		else
332 			error = count - buf.count;
333 	}
334 	fdput_pos(f);
335 	return error;
336 }
337 
338 struct getdents_callback64 {
339 	struct dir_context ctx;
340 	struct linux_dirent64 __user * current_dir;
341 	int prev_reclen;
342 	int count;
343 	int error;
344 };
345 
346 static bool filldir64(struct dir_context *ctx, const char *name, int namlen,
347 		     loff_t offset, u64 ino, unsigned int d_type)
348 {
349 	struct linux_dirent64 __user *dirent, *prev;
350 	struct getdents_callback64 *buf =
351 		container_of(ctx, struct getdents_callback64, ctx);
352 	int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
353 		sizeof(u64));
354 	int prev_reclen;
355 
356 	buf->error = verify_dirent_name(name, namlen);
357 	if (unlikely(buf->error))
358 		return false;
359 	buf->error = -EINVAL;	/* only used if we fail.. */
360 	if (reclen > buf->count)
361 		return false;
362 	prev_reclen = buf->prev_reclen;
363 	if (prev_reclen && signal_pending(current))
364 		return false;
365 	dirent = buf->current_dir;
366 	prev = (void __user *)dirent - prev_reclen;
367 	if (!user_write_access_begin(prev, reclen + prev_reclen))
368 		goto efault;
369 
370 	/* This might be 'dirent->d_off', but if so it will get overwritten */
371 	unsafe_put_user(offset, &prev->d_off, efault_end);
372 	unsafe_put_user(ino, &dirent->d_ino, efault_end);
373 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
374 	unsafe_put_user(d_type, &dirent->d_type, efault_end);
375 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
376 	user_write_access_end();
377 
378 	buf->prev_reclen = reclen;
379 	buf->current_dir = (void __user *)dirent + reclen;
380 	buf->count -= reclen;
381 	return true;
382 
383 efault_end:
384 	user_write_access_end();
385 efault:
386 	buf->error = -EFAULT;
387 	return false;
388 }
389 
390 SYSCALL_DEFINE3(getdents64, unsigned int, fd,
391 		struct linux_dirent64 __user *, dirent, unsigned int, count)
392 {
393 	struct fd f;
394 	struct getdents_callback64 buf = {
395 		.ctx.actor = filldir64,
396 		.count = count,
397 		.current_dir = dirent
398 	};
399 	int error;
400 
401 	f = fdget_pos(fd);
402 	if (!f.file)
403 		return -EBADF;
404 
405 	error = iterate_dir(f.file, &buf.ctx);
406 	if (error >= 0)
407 		error = buf.error;
408 	if (buf.prev_reclen) {
409 		struct linux_dirent64 __user * lastdirent;
410 		typeof(lastdirent->d_off) d_off = buf.ctx.pos;
411 
412 		lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
413 		if (put_user(d_off, &lastdirent->d_off))
414 			error = -EFAULT;
415 		else
416 			error = count - buf.count;
417 	}
418 	fdput_pos(f);
419 	return error;
420 }
421 
422 #ifdef CONFIG_COMPAT
423 struct compat_old_linux_dirent {
424 	compat_ulong_t	d_ino;
425 	compat_ulong_t	d_offset;
426 	unsigned short	d_namlen;
427 	char		d_name[];
428 };
429 
430 struct compat_readdir_callback {
431 	struct dir_context ctx;
432 	struct compat_old_linux_dirent __user *dirent;
433 	int result;
434 };
435 
436 static bool compat_fillonedir(struct dir_context *ctx, const char *name,
437 			     int namlen, loff_t offset, u64 ino,
438 			     unsigned int d_type)
439 {
440 	struct compat_readdir_callback *buf =
441 		container_of(ctx, struct compat_readdir_callback, ctx);
442 	struct compat_old_linux_dirent __user *dirent;
443 	compat_ulong_t d_ino;
444 
445 	if (buf->result)
446 		return false;
447 	buf->result = verify_dirent_name(name, namlen);
448 	if (buf->result)
449 		return false;
450 	d_ino = ino;
451 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
452 		buf->result = -EOVERFLOW;
453 		return false;
454 	}
455 	buf->result++;
456 	dirent = buf->dirent;
457 	if (!user_write_access_begin(dirent,
458 			(unsigned long)(dirent->d_name + namlen + 1) -
459 				(unsigned long)dirent))
460 		goto efault;
461 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
462 	unsafe_put_user(offset, &dirent->d_offset, efault_end);
463 	unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
464 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
465 	user_write_access_end();
466 	return true;
467 efault_end:
468 	user_write_access_end();
469 efault:
470 	buf->result = -EFAULT;
471 	return false;
472 }
473 
474 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
475 		struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
476 {
477 	int error;
478 	struct fd f = fdget_pos(fd);
479 	struct compat_readdir_callback buf = {
480 		.ctx.actor = compat_fillonedir,
481 		.dirent = dirent
482 	};
483 
484 	if (!f.file)
485 		return -EBADF;
486 
487 	error = iterate_dir(f.file, &buf.ctx);
488 	if (buf.result)
489 		error = buf.result;
490 
491 	fdput_pos(f);
492 	return error;
493 }
494 
495 struct compat_linux_dirent {
496 	compat_ulong_t	d_ino;
497 	compat_ulong_t	d_off;
498 	unsigned short	d_reclen;
499 	char		d_name[];
500 };
501 
502 struct compat_getdents_callback {
503 	struct dir_context ctx;
504 	struct compat_linux_dirent __user *current_dir;
505 	int prev_reclen;
506 	int count;
507 	int error;
508 };
509 
510 static bool compat_filldir(struct dir_context *ctx, const char *name, int namlen,
511 		loff_t offset, u64 ino, unsigned int d_type)
512 {
513 	struct compat_linux_dirent __user *dirent, *prev;
514 	struct compat_getdents_callback *buf =
515 		container_of(ctx, struct compat_getdents_callback, ctx);
516 	compat_ulong_t d_ino;
517 	int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
518 		namlen + 2, sizeof(compat_long_t));
519 	int prev_reclen;
520 
521 	buf->error = verify_dirent_name(name, namlen);
522 	if (unlikely(buf->error))
523 		return false;
524 	buf->error = -EINVAL;	/* only used if we fail.. */
525 	if (reclen > buf->count)
526 		return false;
527 	d_ino = ino;
528 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
529 		buf->error = -EOVERFLOW;
530 		return false;
531 	}
532 	prev_reclen = buf->prev_reclen;
533 	if (prev_reclen && signal_pending(current))
534 		return false;
535 	dirent = buf->current_dir;
536 	prev = (void __user *) dirent - prev_reclen;
537 	if (!user_write_access_begin(prev, reclen + prev_reclen))
538 		goto efault;
539 
540 	unsafe_put_user(offset, &prev->d_off, efault_end);
541 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
542 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
543 	unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
544 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
545 	user_write_access_end();
546 
547 	buf->prev_reclen = reclen;
548 	buf->current_dir = (void __user *)dirent + reclen;
549 	buf->count -= reclen;
550 	return true;
551 efault_end:
552 	user_write_access_end();
553 efault:
554 	buf->error = -EFAULT;
555 	return false;
556 }
557 
558 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
559 		struct compat_linux_dirent __user *, dirent, unsigned int, count)
560 {
561 	struct fd f;
562 	struct compat_getdents_callback buf = {
563 		.ctx.actor = compat_filldir,
564 		.current_dir = dirent,
565 		.count = count
566 	};
567 	int error;
568 
569 	f = fdget_pos(fd);
570 	if (!f.file)
571 		return -EBADF;
572 
573 	error = iterate_dir(f.file, &buf.ctx);
574 	if (error >= 0)
575 		error = buf.error;
576 	if (buf.prev_reclen) {
577 		struct compat_linux_dirent __user * lastdirent;
578 		lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
579 
580 		if (put_user(buf.ctx.pos, &lastdirent->d_off))
581 			error = -EFAULT;
582 		else
583 			error = count - buf.count;
584 	}
585 	fdput_pos(f);
586 	return error;
587 }
588 #endif
589