aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* fusermount: bail out on transient config read failureGravatar Jann Horn2018-07-18
| | | | | | | | | | | | | | | If an attacker wishes to use the default configuration instead of the system's actual configuration, they can attempt to trigger a failure in read_conf(). This only permits increasing mount_max if it is lower than the default, so it's not particularly interesting. Still, this should probably be prevented robustly; bail out if funny stuff happens when we're trying to read the config. Note that the classic attack trick of opening so many files that the system-wide limit is reached won't work here - because fusermount only drops the fsuid, not the euid, the process is running with euid=0 and CAP_SYS_ADMIN, so it bypasses the number-of-globally-open-files check in get_empty_filp() (unless you're inside a user namespace).
* fusermount: don't feed "escaped commas" into mount optionsGravatar Jann Horn2018-07-18
| | | | | | | | | | | | | | The old code permits the following behavior: $ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) However, backslashes do not have any special meaning for the kernel here. As it happens, you can't abuse this because there is no FUSE mount option that takes a string value that can contain backslashes; but this is very brittle. Don't interpret "escape characters" in places where they don't work.
* fusermount: prevent silent truncation of mount optionsGravatar Jann Horn2018-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, in the kernel, copy_mount_options() copies in one page of userspace memory (or less if some of that memory area is not mapped). do_mount() then writes a null byte to the last byte of the copied page. This means that mount option strings longer than PAGE_SIZE-1 bytes get truncated silently. Therefore, this can happen: user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4000')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0 user@d9-ut:~$ fusermount -u mount user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4050')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0 user@d9-ut:~$ fusermount -u mount user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4051')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=10 0 0 user@d9-ut:~$ fusermount -u mount user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4052')" mount sending file descriptor: Bad file descriptor user@d9-ut:~$ grep /mount /proc/mounts /dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1 0 0 user@d9-ut:~$ fusermount -u mount I'm not aware of any context in which this is actually exploitable - you'd still need the UIDs to fit, and you can't do it if the three GIDs of the process don't match (in the case of a typical setgid binary), but it does look like something that should be fixed. I also plan to try to get this fixed on the kernel side.
* Released 3.2.4Gravatar Nikolaus Rath2018-07-11
|
* Don't assume sub-second resolution for st_atime/st_mtime.Gravatar Nikolaus Rath2018-07-11
| | | | Fixes: #224
* Use triple quotes for multiline string.Gravatar Nikolaus Rath2018-07-04
| | | | Single quotes will become an error in a future meson release.
* Document that access() is also called on chdir().Gravatar Nikolaus Rath2018-07-04
| | | | Source: Miklos Szeredi on fuse-devel, Wednesday, 4 July 2018 15:29.
* Source LSB init functionsGravatar Laszlo Boszormenyi (GCS)2018-07-04
|
* Fix manpage filename for mount.fuse3Gravatar Laszlo Boszormenyi (GCS)2018-07-04
|
* fuse.h: fix typo (currenlty -> currently)Gravatar William Woodruff2018-07-02
|
* fix documentation for opendir in fuse_operationsGravatar Carl Edquist2018-05-24
| | | | | the filehandle from opendir is passed to releasedir - there is no closedir function in fuse_operations
* rename: perform user mode dir loop check when not done in kernelGravatar Bill Zissimooulos2018-05-18
| | | | Fix conditionals as per maintainer's request.
* changelog: add info on rename deadlock fixGravatar Bill Zissimopoulos2018-05-18
|
* rename: perform user mode dir loop check when not done in kernelGravatar Bill Zissimooulos2018-05-18
| | | | | | | | | | | | Linux performs the dir loop check (rename(a, a/b/c) or rename(a/b/c, a), etc.) in kernel. Unfortunately other systems do not perform this check (e.g. FreeBSD). This results in a deadlock in get_path2, because libfuse did not expect to handle such cases. We add a check_dir_loop function that performs the dir loop check in user mode and enable it on systems that need it.
* Released 3.2.3Gravatar Nikolaus Rath2018-05-11
|
* add_arg(): check for overflowGravatar Nikolaus Rath2018-05-11
| | | | Fixes: #222.
* Fix compile-time warnings on IGNORE_MTABGravatar Tomohiro Kusumi2018-05-08
| | | | | | | | | | | | | Silence below warnings which appear if IGNORE_MTAB is defined. [59/64] Compiling C object 'util/fusermount3@exe/fusermount.c.o'. ../util/fusermount.c:493:12: warning: function declaration isn't a prototype [-Wstrict-prototypes] static int count_fuse_fs() ^~~~~~~~~~~~~ ../util/fusermount.c: In function 'unmount_fuse': ../util/fusermount.c:508:46: warning: unused parameter 'quiet' [-Wunused-parameter] static int unmount_fuse(const char *mnt, int quiet, int lazy) ^~~~~
* Fix path to pytest cache directory.Gravatar Nikolaus Rath2018-04-13
|
* Invert calloc(3) argument order (`nmemb` comes first)Gravatar Tomohiro Kusumi2018-04-13
| | | | | No functional difference expected, but should still follow the standard. http://pubs.opengroup.org/onlinepubs/009695399/functions/calloc.html
* Drop unneeded void cast for actually used local variableGravatar Tomohiro Kusumi2018-04-13
| | | | `int sig` is acutually used, so `(void) sig;` is unneeded.
* Drop redundant ; from FUSE_REGISTER_MODULE()Gravatar Tomohiro Kusumi2018-04-13
| | | | Callers do (and should) use ;.
* Travis: remove root-owned cache files.Gravatar Nikolaus Rath2018-03-31
|
* Fix Travis build environmentGravatar Nikolaus Rath2018-03-31
| | | | | Newest Meson requires Python 3.5 which isn't available in Trusty. Pip version pin no longer necessary.
* Fixed up duplicate ChangeLog entry.Gravatar Nikolaus Rath2018-03-31
|
* Released 3.2.2Gravatar Nikolaus Rath2018-03-31
|
* Add example configuration file (#216)Gravatar admorgan2018-03-28
| | | | Add a configuration file with all options disabled that includes all valid options and their description.
* Fix build error on DragonFlyBSD (sync with other *BSD) (#240)Gravatar Tomohiro Kusumi2018-03-28
| | | | | | | | | DragonFlyBSD has no "bsd" in uname, so add 'dragonfly' to conditionals. -- e.g. uname(1) in DragonFlyBSD [root@ ~]# uname DragonFly [root@ ~]# python -c "import sys; print(sys.platform)" dragonfly5
* Fix uninitialised read in fuse_new_30() (#231) (#234)Gravatar Ashley Pittman2018-02-09
| | | | | | | Ensure that conf is always zero before it's read from to prevent sporadic failure at startup if higher layers were build against version 3.0 Signed-off-by: Ashley Pittman <ashley.m.pittman@intel.com>
* Fix typo in "passthrough" docstring (#229)Gravatar Mateusz UrbaƄczyk2018-01-15
|
* Handle mount ... -o nofail (#221)Gravatar Josh Soref2017-12-01
| | | Accept (and ignore) nofail mount option
* fix "Rath Consulting" link (#225)Gravatar divinity762017-11-27
|
* Spelling (#223)Gravatar Josh Soref2017-11-27
| | | Fix spelling errors
* Released 3.2.1Gravatar Nikolaus Rath2017-11-14
|
* Updated professional support information.Gravatar Nikolaus Rath2017-11-13
|
* Backed out d92bf83Gravatar Nikolaus Rath2017-11-03
| | | | | | | | | This change is bogus. fuse_module_factory_t is already a pointer type. Additionally, if dlsym returns NULL, then you will be dereferencing it causing a segfault. In my testing, a segfault will happen even if dlsym returns successfully. Thanks to Michael Theall for spotting!
* Don't install manpages under *BSDGravatar Nikolaus Rath2017-10-20
| | | | | Were not installing the corresponding binaries either, since those are provided by the BSD base system.
* Don't use Python mode for meson.buildGravatar Nikolaus Rath2017-10-20
| | | | Emacs now has a proper meson mode :-).
* make udevrulesdir configurableGravatar Joerg Thalheim2017-10-20
| | | | on nixos we install fuse in its own hierarchy independent from systemd.
* Adding pointer dereferencing after calling dlsym()Gravatar Sangwoo Moon2017-09-27
| | | | | | dlsym() resolves the location of the loaded symbol, therefore dlsym() returns the type (fuse_module_factory_t *), not (fuse_module_factory_t). Added pinter dereferencing to correctly refer the factory function.
* fuse_lib_ioctl(): don't call memcpy with NULL argumentGravatar Nikolaus Rath2017-09-25
| | | | | This was detected by using clang's undefined behavior sanitizer, but didn't seem to cause problems in practice.
* Link with -lrt to support ancient libcGravatar Nikolaus Rath2017-09-25
| | | | Fixes: #207.
* Removed unneccessary #include <config.h> from examplesGravatar Nikolaus Rath2017-09-25
| | | | Fixes: #208.
* Automatically print list of contributors when generating tarballGravatar Nikolaus Rath2017-09-20
|
* Travis CI: Don't use deprecated environmentGravatar Nikolaus Rath2017-09-20
| | | | | Travis support recommends to install specific pip version to work around problems in new environment.
* Correctly define fusermount3 path.Gravatar Nikolaus Rath2017-09-19
|
* Make *_loop_mt() available in version 3.0 againGravatar Nikolaus Rath2017-09-19
| | | | | | The old versions of these symbols were defined with version tag FUSE_3.0, so this is what we have to use in the .symver directive.
* Fix versioned symbols in version scriptGravatar Nikolaus Rath2017-09-19
| | | | | | | According to "How to Write Shared Libraries" by Ulrich Drepper (https://www.akkadia.org/drepper/dsohowto.pdf), the version script should contain the exported name of the versioned symbol once in each tag for which it has been defined by .symver.
* Don't use external symbol names in internal filesGravatar Nikolaus Rath2017-09-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fuse_session_loop_mt() and fuse_loop_mt() symbols are only visible when linking against the shared object. The code in lib/, however, is compiled *into* the shared object and should thus use the internal names of these functions. Surprisingly enough, the code still worked before - but only when link time optimization was disabled. Unfortunately, we still can't compile with LTO because it seems that enabling LTO somehow makes the tagged symbols vanish. Without lto, we have: $ nm lib/libfuse3.so | grep fuse_new 0000000000011070 T fuse_new_30 0000000000010a00 t fuse_new_31 0000000000011070 T fuse_new@FUSE_3.0 0000000000010a00 T fuse_new@@FUSE_3.1 and with LTO: $ nm lib/libfuse3.so | grep fuse_new 0000000000019a70 T fuse_new_30 0000000000019270 t fuse_new_31 See also issue #198.
* Include source code in documentation.Gravatar Nikolaus Rath2017-09-17
|
* make_release_tarball.sh: be less verboseGravatar Nikolaus Rath2017-09-17
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-20 07:03:51 +0000