xref: /linux/fs/readdir.c (revision b1a54551dd9ed5ef1763b97b35a0999ca002b95c)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  linux/fs/readdir.c
4  *
5  *  Copyright (C) 1995  Linus Torvalds
6  */
7 
8 #include <linux/stddef.h>
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/time.h>
12 #include <linux/mm.h>
13 #include <linux/errno.h>
14 #include <linux/stat.h>
15 #include <linux/file.h>
16 #include <linux/fs.h>
17 #include <linux/fsnotify.h>
18 #include <linux/dirent.h>
19 #include <linux/security.h>
20 #include <linux/syscalls.h>
21 #include <linux/unistd.h>
22 #include <linux/compat.h>
23 #include <linux/uaccess.h>
24 
25 #include <asm/unaligned.h>
26 
27 /*
28  * Some filesystems were never converted to '->iterate_shared()'
29  * and their directory iterators want the inode lock held for
30  * writing. This wrapper allows for converting from the shared
31  * semantics to the exclusive inode use.
32  */
33 int wrap_directory_iterator(struct file *file,
34 			    struct dir_context *ctx,
35 			    int (*iter)(struct file *, struct dir_context *))
36 {
37 	struct inode *inode = file_inode(file);
38 	int ret;
39 
40 	/*
41 	 * We'd love to have an 'inode_upgrade_trylock()' operation,
42 	 * see the comment in mmap_upgrade_trylock() in mm/memory.c.
43 	 *
44 	 * But considering this is for "filesystems that never got
45 	 * converted", it really doesn't matter.
46 	 *
47 	 * Also note that since we have to return with the lock held
48 	 * for reading, we can't use the "killable()" locking here,
49 	 * since we do need to get the lock even if we're dying.
50 	 *
51 	 * We could do the write part killably and then get the read
52 	 * lock unconditionally if it mattered, but see above on why
53 	 * this does the very simplistic conversion.
54 	 */
55 	up_read(&inode->i_rwsem);
56 	down_write(&inode->i_rwsem);
57 
58 	/*
59 	 * Since we dropped the inode lock, we should do the
60 	 * DEADDIR test again. See 'iterate_dir()' below.
61 	 *
62 	 * Note that we don't need to re-do the f_pos games,
63 	 * since the file must be locked wrt f_pos anyway.
64 	 */
65 	ret = -ENOENT;
66 	if (!IS_DEADDIR(inode))
67 		ret = iter(file, ctx);
68 
69 	downgrade_write(&inode->i_rwsem);
70 	return ret;
71 }
72 EXPORT_SYMBOL(wrap_directory_iterator);
73 
74 /*
75  * Note the "unsafe_put_user() semantics: we goto a
76  * label for errors.
77  */
78 #define unsafe_copy_dirent_name(_dst, _src, _len, label) do {	\
79 	char __user *dst = (_dst);				\
80 	const char *src = (_src);				\
81 	size_t len = (_len);					\
82 	unsafe_put_user(0, dst+len, label);			\
83 	unsafe_copy_to_user(dst, src, len, label);		\
84 } while (0)
85 
86 
87 int iterate_dir(struct file *file, struct dir_context *ctx)
88 {
89 	struct inode *inode = file_inode(file);
90 	int res = -ENOTDIR;
91 
92 	if (!file->f_op->iterate_shared)
93 		goto out;
94 
95 	res = security_file_permission(file, MAY_READ);
96 	if (res)
97 		goto out;
98 
99 	res = fsnotify_file_perm(file, MAY_READ);
100 	if (res)
101 		goto out;
102 
103 	res = down_read_killable(&inode->i_rwsem);
104 	if (res)
105 		goto out;
106 
107 	res = -ENOENT;
108 	if (!IS_DEADDIR(inode)) {
109 		ctx->pos = file->f_pos;
110 		res = file->f_op->iterate_shared(file, ctx);
111 		file->f_pos = ctx->pos;
112 		fsnotify_access(file);
113 		file_accessed(file);
114 	}
115 	inode_unlock_shared(inode);
116 out:
117 	return res;
118 }
119 EXPORT_SYMBOL(iterate_dir);
120 
121 /*
122  * POSIX says that a dirent name cannot contain NULL or a '/'.
123  *
124  * It's not 100% clear what we should really do in this case.
125  * The filesystem is clearly corrupted, but returning a hard
126  * error means that you now don't see any of the other names
127  * either, so that isn't a perfect alternative.
128  *
129  * And if you return an error, what error do you use? Several
130  * filesystems seem to have decided on EUCLEAN being the error
131  * code for EFSCORRUPTED, and that may be the error to use. Or
132  * just EIO, which is perhaps more obvious to users.
133  *
134  * In order to see the other file names in the directory, the
135  * caller might want to make this a "soft" error: skip the
136  * entry, and return the error at the end instead.
137  *
138  * Note that this should likely do a "memchr(name, 0, len)"
139  * check too, since that would be filesystem corruption as
140  * well. However, that case can't actually confuse user space,
141  * which has to do a strlen() on the name anyway to find the
142  * filename length, and the above "soft error" worry means
143  * that it's probably better left alone until we have that
144  * issue clarified.
145  *
146  * Note the PATH_MAX check - it's arbitrary but the real
147  * kernel limit on a possible path component, not NAME_MAX,
148  * which is the technical standard limit.
149  */
150 static int verify_dirent_name(const char *name, int len)
151 {
152 	if (len <= 0 || len >= PATH_MAX)
153 		return -EIO;
154 	if (memchr(name, '/', len))
155 		return -EIO;
156 	return 0;
157 }
158 
159 /*
160  * Traditional linux readdir() handling..
161  *
162  * "count=1" is a special case, meaning that the buffer is one
163  * dirent-structure in size and that the code can't handle more
164  * anyway. Thus the special "fillonedir()" function for that
165  * case (the low-level handlers don't need to care about this).
166  */
167 
168 #ifdef __ARCH_WANT_OLD_READDIR
169 
170 struct old_linux_dirent {
171 	unsigned long	d_ino;
172 	unsigned long	d_offset;
173 	unsigned short	d_namlen;
174 	char		d_name[];
175 };
176 
177 struct readdir_callback {
178 	struct dir_context ctx;
179 	struct old_linux_dirent __user * dirent;
180 	int result;
181 };
182 
183 static bool fillonedir(struct dir_context *ctx, const char *name, int namlen,
184 		      loff_t offset, u64 ino, unsigned int d_type)
185 {
186 	struct readdir_callback *buf =
187 		container_of(ctx, struct readdir_callback, ctx);
188 	struct old_linux_dirent __user * dirent;
189 	unsigned long d_ino;
190 
191 	if (buf->result)
192 		return false;
193 	buf->result = verify_dirent_name(name, namlen);
194 	if (buf->result)
195 		return false;
196 	d_ino = ino;
197 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
198 		buf->result = -EOVERFLOW;
199 		return false;
200 	}
201 	buf->result++;
202 	dirent = buf->dirent;
203 	if (!user_write_access_begin(dirent,
204 			(unsigned long)(dirent->d_name + namlen + 1) -
205 				(unsigned long)dirent))
206 		goto efault;
207 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
208 	unsafe_put_user(offset, &dirent->d_offset, efault_end);
209 	unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
210 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
211 	user_write_access_end();
212 	return true;
213 efault_end:
214 	user_write_access_end();
215 efault:
216 	buf->result = -EFAULT;
217 	return false;
218 }
219 
220 SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
221 		struct old_linux_dirent __user *, dirent, unsigned int, count)
222 {
223 	int error;
224 	struct fd f = fdget_pos(fd);
225 	struct readdir_callback buf = {
226 		.ctx.actor = fillonedir,
227 		.dirent = dirent
228 	};
229 
230 	if (!f.file)
231 		return -EBADF;
232 
233 	error = iterate_dir(f.file, &buf.ctx);
234 	if (buf.result)
235 		error = buf.result;
236 
237 	fdput_pos(f);
238 	return error;
239 }
240 
241 #endif /* __ARCH_WANT_OLD_READDIR */
242 
243 /*
244  * New, all-improved, singing, dancing, iBCS2-compliant getdents()
245  * interface.
246  */
247 struct linux_dirent {
248 	unsigned long	d_ino;
249 	unsigned long	d_off;
250 	unsigned short	d_reclen;
251 	char		d_name[];
252 };
253 
254 struct getdents_callback {
255 	struct dir_context ctx;
256 	struct linux_dirent __user * current_dir;
257 	int prev_reclen;
258 	int count;
259 	int error;
260 };
261 
262 static bool filldir(struct dir_context *ctx, const char *name, int namlen,
263 		   loff_t offset, u64 ino, unsigned int d_type)
264 {
265 	struct linux_dirent __user *dirent, *prev;
266 	struct getdents_callback *buf =
267 		container_of(ctx, struct getdents_callback, ctx);
268 	unsigned long d_ino;
269 	int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
270 		sizeof(long));
271 	int prev_reclen;
272 
273 	buf->error = verify_dirent_name(name, namlen);
274 	if (unlikely(buf->error))
275 		return false;
276 	buf->error = -EINVAL;	/* only used if we fail.. */
277 	if (reclen > buf->count)
278 		return false;
279 	d_ino = ino;
280 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
281 		buf->error = -EOVERFLOW;
282 		return false;
283 	}
284 	prev_reclen = buf->prev_reclen;
285 	if (prev_reclen && signal_pending(current))
286 		return false;
287 	dirent = buf->current_dir;
288 	prev = (void __user *) dirent - prev_reclen;
289 	if (!user_write_access_begin(prev, reclen + prev_reclen))
290 		goto efault;
291 
292 	/* This might be 'dirent->d_off', but if so it will get overwritten */
293 	unsafe_put_user(offset, &prev->d_off, efault_end);
294 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
295 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
296 	unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
297 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
298 	user_write_access_end();
299 
300 	buf->current_dir = (void __user *)dirent + reclen;
301 	buf->prev_reclen = reclen;
302 	buf->count -= reclen;
303 	return true;
304 efault_end:
305 	user_write_access_end();
306 efault:
307 	buf->error = -EFAULT;
308 	return false;
309 }
310 
311 SYSCALL_DEFINE3(getdents, unsigned int, fd,
312 		struct linux_dirent __user *, dirent, unsigned int, count)
313 {
314 	struct fd f;
315 	struct getdents_callback buf = {
316 		.ctx.actor = filldir,
317 		.count = count,
318 		.current_dir = dirent
319 	};
320 	int error;
321 
322 	f = fdget_pos(fd);
323 	if (!f.file)
324 		return -EBADF;
325 
326 	error = iterate_dir(f.file, &buf.ctx);
327 	if (error >= 0)
328 		error = buf.error;
329 	if (buf.prev_reclen) {
330 		struct linux_dirent __user * lastdirent;
331 		lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
332 
333 		if (put_user(buf.ctx.pos, &lastdirent->d_off))
334 			error = -EFAULT;
335 		else
336 			error = count - buf.count;
337 	}
338 	fdput_pos(f);
339 	return error;
340 }
341 
342 struct getdents_callback64 {
343 	struct dir_context ctx;
344 	struct linux_dirent64 __user * current_dir;
345 	int prev_reclen;
346 	int count;
347 	int error;
348 };
349 
350 static bool filldir64(struct dir_context *ctx, const char *name, int namlen,
351 		     loff_t offset, u64 ino, unsigned int d_type)
352 {
353 	struct linux_dirent64 __user *dirent, *prev;
354 	struct getdents_callback64 *buf =
355 		container_of(ctx, struct getdents_callback64, ctx);
356 	int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
357 		sizeof(u64));
358 	int prev_reclen;
359 
360 	buf->error = verify_dirent_name(name, namlen);
361 	if (unlikely(buf->error))
362 		return false;
363 	buf->error = -EINVAL;	/* only used if we fail.. */
364 	if (reclen > buf->count)
365 		return false;
366 	prev_reclen = buf->prev_reclen;
367 	if (prev_reclen && signal_pending(current))
368 		return false;
369 	dirent = buf->current_dir;
370 	prev = (void __user *)dirent - prev_reclen;
371 	if (!user_write_access_begin(prev, reclen + prev_reclen))
372 		goto efault;
373 
374 	/* This might be 'dirent->d_off', but if so it will get overwritten */
375 	unsafe_put_user(offset, &prev->d_off, efault_end);
376 	unsafe_put_user(ino, &dirent->d_ino, efault_end);
377 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
378 	unsafe_put_user(d_type, &dirent->d_type, efault_end);
379 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
380 	user_write_access_end();
381 
382 	buf->prev_reclen = reclen;
383 	buf->current_dir = (void __user *)dirent + reclen;
384 	buf->count -= reclen;
385 	return true;
386 
387 efault_end:
388 	user_write_access_end();
389 efault:
390 	buf->error = -EFAULT;
391 	return false;
392 }
393 
394 SYSCALL_DEFINE3(getdents64, unsigned int, fd,
395 		struct linux_dirent64 __user *, dirent, unsigned int, count)
396 {
397 	struct fd f;
398 	struct getdents_callback64 buf = {
399 		.ctx.actor = filldir64,
400 		.count = count,
401 		.current_dir = dirent
402 	};
403 	int error;
404 
405 	f = fdget_pos(fd);
406 	if (!f.file)
407 		return -EBADF;
408 
409 	error = iterate_dir(f.file, &buf.ctx);
410 	if (error >= 0)
411 		error = buf.error;
412 	if (buf.prev_reclen) {
413 		struct linux_dirent64 __user * lastdirent;
414 		typeof(lastdirent->d_off) d_off = buf.ctx.pos;
415 
416 		lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
417 		if (put_user(d_off, &lastdirent->d_off))
418 			error = -EFAULT;
419 		else
420 			error = count - buf.count;
421 	}
422 	fdput_pos(f);
423 	return error;
424 }
425 
426 #ifdef CONFIG_COMPAT
427 struct compat_old_linux_dirent {
428 	compat_ulong_t	d_ino;
429 	compat_ulong_t	d_offset;
430 	unsigned short	d_namlen;
431 	char		d_name[];
432 };
433 
434 struct compat_readdir_callback {
435 	struct dir_context ctx;
436 	struct compat_old_linux_dirent __user *dirent;
437 	int result;
438 };
439 
440 static bool compat_fillonedir(struct dir_context *ctx, const char *name,
441 			     int namlen, loff_t offset, u64 ino,
442 			     unsigned int d_type)
443 {
444 	struct compat_readdir_callback *buf =
445 		container_of(ctx, struct compat_readdir_callback, ctx);
446 	struct compat_old_linux_dirent __user *dirent;
447 	compat_ulong_t d_ino;
448 
449 	if (buf->result)
450 		return false;
451 	buf->result = verify_dirent_name(name, namlen);
452 	if (buf->result)
453 		return false;
454 	d_ino = ino;
455 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
456 		buf->result = -EOVERFLOW;
457 		return false;
458 	}
459 	buf->result++;
460 	dirent = buf->dirent;
461 	if (!user_write_access_begin(dirent,
462 			(unsigned long)(dirent->d_name + namlen + 1) -
463 				(unsigned long)dirent))
464 		goto efault;
465 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
466 	unsafe_put_user(offset, &dirent->d_offset, efault_end);
467 	unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
468 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
469 	user_write_access_end();
470 	return true;
471 efault_end:
472 	user_write_access_end();
473 efault:
474 	buf->result = -EFAULT;
475 	return false;
476 }
477 
478 COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
479 		struct compat_old_linux_dirent __user *, dirent, unsigned int, count)
480 {
481 	int error;
482 	struct fd f = fdget_pos(fd);
483 	struct compat_readdir_callback buf = {
484 		.ctx.actor = compat_fillonedir,
485 		.dirent = dirent
486 	};
487 
488 	if (!f.file)
489 		return -EBADF;
490 
491 	error = iterate_dir(f.file, &buf.ctx);
492 	if (buf.result)
493 		error = buf.result;
494 
495 	fdput_pos(f);
496 	return error;
497 }
498 
499 struct compat_linux_dirent {
500 	compat_ulong_t	d_ino;
501 	compat_ulong_t	d_off;
502 	unsigned short	d_reclen;
503 	char		d_name[];
504 };
505 
506 struct compat_getdents_callback {
507 	struct dir_context ctx;
508 	struct compat_linux_dirent __user *current_dir;
509 	int prev_reclen;
510 	int count;
511 	int error;
512 };
513 
514 static bool compat_filldir(struct dir_context *ctx, const char *name, int namlen,
515 		loff_t offset, u64 ino, unsigned int d_type)
516 {
517 	struct compat_linux_dirent __user *dirent, *prev;
518 	struct compat_getdents_callback *buf =
519 		container_of(ctx, struct compat_getdents_callback, ctx);
520 	compat_ulong_t d_ino;
521 	int reclen = ALIGN(offsetof(struct compat_linux_dirent, d_name) +
522 		namlen + 2, sizeof(compat_long_t));
523 	int prev_reclen;
524 
525 	buf->error = verify_dirent_name(name, namlen);
526 	if (unlikely(buf->error))
527 		return false;
528 	buf->error = -EINVAL;	/* only used if we fail.. */
529 	if (reclen > buf->count)
530 		return false;
531 	d_ino = ino;
532 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
533 		buf->error = -EOVERFLOW;
534 		return false;
535 	}
536 	prev_reclen = buf->prev_reclen;
537 	if (prev_reclen && signal_pending(current))
538 		return false;
539 	dirent = buf->current_dir;
540 	prev = (void __user *) dirent - prev_reclen;
541 	if (!user_write_access_begin(prev, reclen + prev_reclen))
542 		goto efault;
543 
544 	unsafe_put_user(offset, &prev->d_off, efault_end);
545 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
546 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
547 	unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
548 	unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
549 	user_write_access_end();
550 
551 	buf->prev_reclen = reclen;
552 	buf->current_dir = (void __user *)dirent + reclen;
553 	buf->count -= reclen;
554 	return true;
555 efault_end:
556 	user_write_access_end();
557 efault:
558 	buf->error = -EFAULT;
559 	return false;
560 }
561 
562 COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
563 		struct compat_linux_dirent __user *, dirent, unsigned int, count)
564 {
565 	struct fd f;
566 	struct compat_getdents_callback buf = {
567 		.ctx.actor = compat_filldir,
568 		.current_dir = dirent,
569 		.count = count
570 	};
571 	int error;
572 
573 	f = fdget_pos(fd);
574 	if (!f.file)
575 		return -EBADF;
576 
577 	error = iterate_dir(f.file, &buf.ctx);
578 	if (error >= 0)
579 		error = buf.error;
580 	if (buf.prev_reclen) {
581 		struct compat_linux_dirent __user * lastdirent;
582 		lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
583 
584 		if (put_user(buf.ctx.pos, &lastdirent->d_off))
585 			error = -EFAULT;
586 		else
587 			error = count - buf.count;
588 	}
589 	fdput_pos(f);
590 	return error;
591 }
592 #endif
593