1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/fs/readdir.c 4 * 5 * Copyright (C) 1995 Linus Torvalds 6 */ 7 8 #include <linux/stddef.h> 9 #include <linux/kernel.h> 10 #include <linux/export.h> 11 #include <linux/time.h> 12 #include <linux/mm.h> 13 #include <linux/errno.h> 14 #include <linux/stat.h> 15 #include <linux/file.h> 16 #include <linux/fs.h> 17 #include <linux/fsnotify.h> 18 #include <linux/dirent.h> 19 #include <linux/security.h> 20 #include <linux/syscalls.h> 21 #include <linux/unistd.h> 22 #include <linux/compat.h> 23 #include <linux/uaccess.h> 24 25 #include <asm/unaligned.h> 26 27 /* 28 * Note the "unsafe_put_user() semantics: we goto a 29 * label for errors. 30 */ 31 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do { \ 32 char __user *dst = (_dst); \ 33 const char *src = (_src); \ 34 size_t len = (_len); \ 35 unsafe_put_user(0, dst+len, label); \ 36 unsafe_copy_to_user(dst, src, len, label); \ 37 } while (0) 38 39 40 int iterate_dir(struct file *file, struct dir_context *ctx) 41 { 42 struct inode *inode = file_inode(file); 43 bool shared = false; 44 int res = -ENOTDIR; 45 if (file->f_op->iterate_shared) 46 shared = true; 47 else if (!file->f_op->iterate) 48 goto out; 49 50 res = security_file_permission(file, MAY_READ); 51 if (res) 52 goto out; 53 54 if (shared) 55 res = down_read_killable(&inode->i_rwsem); 56 else 57 res = down_write_killable(&inode->i_rwsem); 58 if (res) 59 goto out; 60 61 res = -ENOENT; 62 if (!IS_DEADDIR(inode)) { 63 ctx->pos = file->f_pos; 64 if (shared) 65 res = file->f_op->iterate_shared(file, ctx); 66 else 67 res = file->f_op->iterate(file, ctx); 68 file->f_pos = ctx->pos; 69 fsnotify_access(file); 70 file_accessed(file); 71 } 72 if (shared) 73 inode_unlock_shared(inode); 74 else 75 inode_unlock(inode); 76 out: 77 return res; 78 } 79 EXPORT_SYMBOL(iterate_dir); 80 81 /* 82 * POSIX says that a dirent name cannot contain NULL or a '/'. 83 * 84 * It's not 100% clear what we should really do in this case. 85 * The filesystem is clearly corrupted, but returning a hard 86 * error means that you now don't see any of the other names 87 * either, so that isn't a perfect alternative. 88 * 89 * And if you return an error, what error do you use? Several 90 * filesystems seem to have decided on EUCLEAN being the error 91 * code for EFSCORRUPTED, and that may be the error to use. Or 92 * just EIO, which is perhaps more obvious to users. 93 * 94 * In order to see the other file names in the directory, the 95 * caller might want to make this a "soft" error: skip the 96 * entry, and return the error at the end instead. 97 * 98 * Note that this should likely do a "memchr(name, 0, len)" 99 * check too, since that would be filesystem corruption as 100 * well. However, that case can't actually confuse user space, 101 * which has to do a strlen() on the name anyway to find the 102 * filename length, and the above "soft error" worry means 103 * that it's probably better left alone until we have that 104 * issue clarified. 105 * 106 * Note the PATH_MAX check - it's arbitrary but the real 107 * kernel limit on a possible path component, not NAME_MAX, 108 * which is the technical standard limit. 109 */ 110 static int verify_dirent_name(const char *name, int len) 111 { 112 if (len <= 0 || len >= PATH_MAX) 113 return -EIO; 114 if (memchr(name, '/', len)) 115 return -EIO; 116 return 0; 117 } 118 119 /* 120 * Traditional linux readdir() handling.. 121 * 122 * "count=1" is a special case, meaning that the buffer is one 123 * dirent-structure in size and that the code can't handle more 124 * anyway. Thus the special "fillonedir()" function for that 125 * case (the low-level handlers don't need to care about this). 126 */ 127 128 #ifdef __ARCH_WANT_OLD_READDIR 129 130 struct old_linux_dirent { 131 unsigned long d_ino; 132 unsigned long d_offset; 133 unsigned short d_namlen; 134 char d_name[1]; 135 }; 136 137 struct readdir_callback { 138 struct dir_context ctx; 139 struct old_linux_dirent __user * dirent; 140 int result; 141 }; 142 143 static int fillonedir(struct dir_context *ctx, const char *name, int namlen, 144 loff_t offset, u64 ino, unsigned int d_type) 145 { 146 struct readdir_callback *buf = 147 container_of(ctx, struct readdir_callback, ctx); 148 struct old_linux_dirent __user * dirent; 149 unsigned long d_ino; 150 151 if (buf->result) 152 return -EINVAL; 153 buf->result = verify_dirent_name(name, namlen); 154 if (buf->result < 0) 155 return buf->result; 156 d_ino = ino; 157 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 158 buf->result = -EOVERFLOW; 159 return -EOVERFLOW; 160 } 161 buf->result++; 162 dirent = buf->dirent; 163 if (!user_write_access_begin(dirent, 164 (unsigned long)(dirent->d_name + namlen + 1) - 165 (unsigned long)dirent)) 166 goto efault; 167 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 168 unsafe_put_user(offset, &dirent->d_offset, efault_end); 169 unsafe_put_user(namlen, &dirent->d_namlen, efault_end); 170 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 171 user_write_access_end(); 172 return 0; 173 efault_end: 174 user_write_access_end(); 175 efault: 176 buf->result = -EFAULT; 177 return -EFAULT; 178 } 179 180 SYSCALL_DEFINE3(old_readdir, unsigned int, fd, 181 struct old_linux_dirent __user *, dirent, unsigned int, count) 182 { 183 int error; 184 struct fd f = fdget_pos(fd); 185 struct readdir_callback buf = { 186 .ctx.actor = fillonedir, 187 .dirent = dirent 188 }; 189 190 if (!f.file) 191 return -EBADF; 192 193 error = iterate_dir(f.file, &buf.ctx); 194 if (buf.result) 195 error = buf.result; 196 197 fdput_pos(f); 198 return error; 199 } 200 201 #endif /* __ARCH_WANT_OLD_READDIR */ 202 203 /* 204 * New, all-improved, singing, dancing, iBCS2-compliant getdents() 205 * interface. 206 */ 207 struct linux_dirent { 208 unsigned long d_ino; 209 unsigned long d_off; 210 unsigned short d_reclen; 211 char d_name[1]; 212 }; 213 214 struct getdents_callback { 215 struct dir_context ctx; 216 struct linux_dirent __user * current_dir; 217 int prev_reclen; 218 int count; 219 int error; 220 }; 221 222 static int filldir(struct dir_context *ctx, const char *name, int namlen, 223 loff_t offset, u64 ino, unsigned int d_type) 224 { 225 struct linux_dirent __user *dirent, *prev; 226 struct getdents_callback *buf = 227 container_of(ctx, struct getdents_callback, ctx); 228 unsigned long d_ino; 229 int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2, 230 sizeof(long)); 231 int prev_reclen; 232 233 buf->error = verify_dirent_name(name, namlen); 234 if (unlikely(buf->error)) 235 return buf->error; 236 buf->error = -EINVAL; /* only used if we fail.. */ 237 if (reclen > buf->count) 238 return -EINVAL; 239 d_ino = ino; 240 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 241 buf->error = -EOVERFLOW; 242 return -EOVERFLOW; 243 } 244 prev_reclen = buf->prev_reclen; 245 if (prev_reclen && signal_pending(current)) 246 return -EINTR; 247 dirent = buf->current_dir; 248 prev = (void __user *) dirent - prev_reclen; 249 if (!user_write_access_begin(prev, reclen + prev_reclen)) 250 goto efault; 251 252 /* This might be 'dirent->d_off', but if so it will get overwritten */ 253 unsafe_put_user(offset, &prev->d_off, efault_end); 254 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 255 unsafe_put_user(reclen, &dirent->d_reclen, efault_end); 256 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end); 257 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 258 user_write_access_end(); 259 260 buf->current_dir = (void __user *)dirent + reclen; 261 buf->prev_reclen = reclen; 262 buf->count -= reclen; 263 return 0; 264 efault_end: 265 user_write_access_end(); 266 efault: 267 buf->error = -EFAULT; 268 return -EFAULT; 269 } 270 271 SYSCALL_DEFINE3(getdents, unsigned int, fd, 272 struct linux_dirent __user *, dirent, unsigned int, count) 273 { 274 struct fd f; 275 struct getdents_callback buf = { 276 .ctx.actor = filldir, 277 .count = count, 278 .current_dir = dirent 279 }; 280 int error; 281 282 f = fdget_pos(fd); 283 if (!f.file) 284 return -EBADF; 285 286 error = iterate_dir(f.file, &buf.ctx); 287 if (error >= 0) 288 error = buf.error; 289 if (buf.prev_reclen) { 290 struct linux_dirent __user * lastdirent; 291 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen; 292 293 if (put_user(buf.ctx.pos, &lastdirent->d_off)) 294 error = -EFAULT; 295 else 296 error = count - buf.count; 297 } 298 fdput_pos(f); 299 return error; 300 } 301 302 struct getdents_callback64 { 303 struct dir_context ctx; 304 struct linux_dirent64 __user * current_dir; 305 int prev_reclen; 306 int count; 307 int error; 308 }; 309 310 static int filldir64(struct dir_context *ctx, const char *name, int namlen, 311 loff_t offset, u64 ino, unsigned int d_type) 312 { 313 struct linux_dirent64 __user *dirent, *prev; 314 struct getdents_callback64 *buf = 315 container_of(ctx, struct getdents_callback64, ctx); 316 int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1, 317 sizeof(u64)); 318 int prev_reclen; 319 320 buf->error = verify_dirent_name(name, namlen); 321 if (unlikely(buf->error)) 322 return buf->error; 323 buf->error = -EINVAL; /* only used if we fail.. */ 324 if (reclen > buf->count) 325 return -EINVAL; 326 prev_reclen = buf->prev_reclen; 327 if (prev_reclen && signal_pending(current)) 328 return -EINTR; 329 dirent = buf->current_dir; 330 prev = (void __user *)dirent - prev_reclen; 331 if (!user_write_access_begin(prev, reclen + prev_reclen)) 332 goto efault; 333 334 /* This might be 'dirent->d_off', but if so it will get overwritten */ 335 unsafe_put_user(offset, &prev->d_off, efault_end); 336 unsafe_put_user(ino, &dirent->d_ino, efault_end); 337 unsafe_put_user(reclen, &dirent->d_reclen, efault_end); 338 unsafe_put_user(d_type, &dirent->d_type, efault_end); 339 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 340 user_write_access_end(); 341 342 buf->prev_reclen = reclen; 343 buf->current_dir = (void __user *)dirent + reclen; 344 buf->count -= reclen; 345 return 0; 346 347 efault_end: 348 user_write_access_end(); 349 efault: 350 buf->error = -EFAULT; 351 return -EFAULT; 352 } 353 354 SYSCALL_DEFINE3(getdents64, unsigned int, fd, 355 struct linux_dirent64 __user *, dirent, unsigned int, count) 356 { 357 struct fd f; 358 struct getdents_callback64 buf = { 359 .ctx.actor = filldir64, 360 .count = count, 361 .current_dir = dirent 362 }; 363 int error; 364 365 f = fdget_pos(fd); 366 if (!f.file) 367 return -EBADF; 368 369 error = iterate_dir(f.file, &buf.ctx); 370 if (error >= 0) 371 error = buf.error; 372 if (buf.prev_reclen) { 373 struct linux_dirent64 __user * lastdirent; 374 typeof(lastdirent->d_off) d_off = buf.ctx.pos; 375 376 lastdirent = (void __user *) buf.current_dir - buf.prev_reclen; 377 if (put_user(d_off, &lastdirent->d_off)) 378 error = -EFAULT; 379 else 380 error = count - buf.count; 381 } 382 fdput_pos(f); 383 return error; 384 } 385 386 #ifdef CONFIG_COMPAT 387 struct compat_old_linux_dirent { 388 compat_ulong_t d_ino; 389 compat_ulong_t d_offset; 390 unsigned short d_namlen; 391 char d_name[1]; 392 }; 393 394 struct compat_readdir_callback { 395 struct dir_context ctx; 396 struct compat_old_linux_dirent __user *dirent; 397 int result; 398 }; 399 400 static int compat_fillonedir(struct dir_context *ctx, const char *name, 401 int namlen, loff_t offset, u64 ino, 402 unsigned int d_type) 403 { 404 struct compat_readdir_callback *buf = 405 container_of(ctx, struct compat_readdir_callback, ctx); 406 struct compat_old_linux_dirent __user *dirent; 407 compat_ulong_t d_ino; 408 409 if (buf->result) 410 return -EINVAL; 411 buf->result = verify_dirent_name(name, namlen); 412 if (buf->result < 0) 413 return buf->result; 414 d_ino = ino; 415 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 416 buf->result = -EOVERFLOW; 417 return -EOVERFLOW; 418 } 419 buf->result++; 420 dirent = buf->dirent; 421 if (!user_write_access_begin(dirent, 422 (unsigned long)(dirent->d_name + namlen + 1) - 423 (unsigned long)dirent)) 424 goto efault; 425 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 426 unsafe_put_user(offset, &dirent->d_offset, efault_end); 427 unsafe_put_user(namlen, &dirent->d_namlen, efault_end); 428 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 429 user_write_access_end(); 430 return 0; 431 efault_end: 432 user_write_access_end(); 433 efault: 434 buf->result = -EFAULT; 435 return -EFAULT; 436 } 437 438 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd, 439 struct compat_old_linux_dirent __user *, dirent, unsigned int, count) 440 { 441 int error; 442 struct fd f = fdget_pos(fd); 443 struct compat_readdir_callback buf = { 444 .ctx.actor = compat_fillonedir, 445 .dirent = dirent 446 }; 447 448 if (!f.file) 449 return -EBADF; 450 451 error = iterate_dir(f.file, &buf.ctx); 452 if (buf.result) 453 error = buf.result; 454 455 fdput_pos(f); 456 return error; 457 } 458 459 struct compat_linux_dirent { 460 compat_ulong_t d_ino; 461 compat_ulong_t d_off; 462 unsigned short d_reclen; 463 char d_name[1]; 464 }; 465 466 struct compat_getdents_callback { 467 struct dir_context ctx; 468 struct compat_linux_dirent __user *current_dir; 469 int prev_reclen; 470 int count; 471 int error; 472 }; 473 474 static int compat_filldir(struct dir_context *ctx, const char *name, int namlen, 475 loff_t offset, u64 ino, unsigned int d_type) 476 { 477 struct compat_linux_dirent __user *dirent, *prev; 478 struct compat_getdents_callback *buf = 479 container_of(ctx, struct compat_getdents_callback, ctx); 480 compat_ulong_t d_ino; 481 int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) + 482 namlen + 2, sizeof(compat_long_t)); 483 int prev_reclen; 484 485 buf->error = verify_dirent_name(name, namlen); 486 if (unlikely(buf->error)) 487 return buf->error; 488 buf->error = -EINVAL; /* only used if we fail.. */ 489 if (reclen > buf->count) 490 return -EINVAL; 491 d_ino = ino; 492 if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) { 493 buf->error = -EOVERFLOW; 494 return -EOVERFLOW; 495 } 496 prev_reclen = buf->prev_reclen; 497 if (prev_reclen && signal_pending(current)) 498 return -EINTR; 499 dirent = buf->current_dir; 500 prev = (void __user *) dirent - prev_reclen; 501 if (!user_write_access_begin(prev, reclen + prev_reclen)) 502 goto efault; 503 504 unsafe_put_user(offset, &prev->d_off, efault_end); 505 unsafe_put_user(d_ino, &dirent->d_ino, efault_end); 506 unsafe_put_user(reclen, &dirent->d_reclen, efault_end); 507 unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end); 508 unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end); 509 user_write_access_end(); 510 511 buf->prev_reclen = reclen; 512 buf->current_dir = (void __user *)dirent + reclen; 513 buf->count -= reclen; 514 return 0; 515 efault_end: 516 user_write_access_end(); 517 efault: 518 buf->error = -EFAULT; 519 return -EFAULT; 520 } 521 522 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd, 523 struct compat_linux_dirent __user *, dirent, unsigned int, count) 524 { 525 struct fd f; 526 struct compat_getdents_callback buf = { 527 .ctx.actor = compat_filldir, 528 .current_dir = dirent, 529 .count = count 530 }; 531 int error; 532 533 f = fdget_pos(fd); 534 if (!f.file) 535 return -EBADF; 536 537 error = iterate_dir(f.file, &buf.ctx); 538 if (error >= 0) 539 error = buf.error; 540 if (buf.prev_reclen) { 541 struct compat_linux_dirent __user * lastdirent; 542 lastdirent = (void __user *)buf.current_dir - buf.prev_reclen; 543 544 if (put_user(buf.ctx.pos, &lastdirent->d_off)) 545 error = -EFAULT; 546 else 547 error = count - buf.count; 548 } 549 fdput_pos(f); 550 return error; 551 } 552 #endif 553