From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 7 Jun 2018 11:24:03 +0000 (+0200)
Subject: copy: put a depth limit on copying file system trees recursively
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=71a053fff0eb3057822d4dec809f7078c3c9a95b;p=elogind.git

copy: put a depth limit on copying file system trees recursively

This is a safety net against bind mount cycles, as such pick it
relatively high at 2048 for now.

As suggested by @filbranden on #9213
---

diff --git a/src/basic/copy.c b/src/basic/copy.c
index c09292b94..964613f8c 100644
--- a/src/basic/copy.c
+++ b/src/basic/copy.c
@@ -37,7 +37,12 @@
 #include "user-util.h"
 //#include "xattr-util.h"
 
-#define COPY_BUFFER_SIZE (16*1024u)
+#define COPY_BUFFER_SIZE (16U*1024U)
+
+/* A safety net for descending recursively into file system trees to copy. On Linux PATH_MAX is 4096, which means the
+ * deepest valid path one can build is around 2048, which we hence use as a safety net here, to not spin endlessly in
+ * case of bind mount cycles and suchlike. */
+#define COPY_DEPTH_MAX 2048U
 
 static ssize_t try_copy_file_range(
                 int fd_in, loff_t *off_in,
@@ -483,6 +488,7 @@ static int fd_copy_directory(
                 int dt,
                 const char *to,
                 dev_t original_device,
+                unsigned depth_left,
                 uid_t override_uid,
                 gid_t override_gid,
                 CopyFlags copy_flags) {
@@ -496,6 +502,9 @@ static int fd_copy_directory(
         assert(st);
         assert(to);
 
+        if (depth_left == 0)
+                return -ENAMETOOLONG;
+
         if (from)
                 fdf = openat(df, from, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW);
         else
@@ -549,7 +558,9 @@ static int fd_copy_directory(
                          * • The main reason we do this check at all is to protect ourselves from bind mount cycles,
                          *   where we really want to avoid descending down in all eternity. However the .st_dev check
                          *   is usually not sufficient for this protection anyway, as bind mount cycles from the same
-                         *   file system onto itself can't be detected that way.
+                         *   file system onto itself can't be detected that way. (Note we also do a recursion depth
+                         *   check, which is probably the better protection in this regard, which is why
+                         *   COPY_SAME_MOUNT is optional).
                          */
 
                         if (FLAGS_SET(copy_flags, COPY_SAME_MOUNT)) {
@@ -563,7 +574,7 @@ static int fd_copy_directory(
                                         continue;
                         }
 
-                        q = fd_copy_directory(dirfd(d), de->d_name, &buf, fdt, de->d_name, original_device, override_uid, override_gid, copy_flags);
+                        q = fd_copy_directory(dirfd(d), de->d_name, &buf, fdt, de->d_name, original_device, depth_left-1, override_uid, override_gid, copy_flags);
                 } else if (S_ISREG(buf.st_mode))
                         q = fd_copy_regular(dirfd(d), de->d_name, &buf, fdt, de->d_name, override_uid, override_gid, copy_flags);
                 else if (S_ISLNK(buf.st_mode))
@@ -615,7 +626,7 @@ int copy_tree_at(int fdf, const char *from, int fdt, const char *to, uid_t overr
         if (S_ISREG(st.st_mode))
                 return fd_copy_regular(fdf, from, &st, fdt, to, override_uid, override_gid, copy_flags);
         else if (S_ISDIR(st.st_mode))
-                return fd_copy_directory(fdf, from, &st, fdt, to, st.st_dev, override_uid, override_gid, copy_flags);
+                return fd_copy_directory(fdf, from, &st, fdt, to, st.st_dev, COPY_DEPTH_MAX, override_uid, override_gid, copy_flags);
         else if (S_ISLNK(st.st_mode))
                 return fd_copy_symlink(fdf, from, &st, fdt, to, override_uid, override_gid, copy_flags);
         else if (S_ISFIFO(st.st_mode))
@@ -642,7 +653,7 @@ int copy_directory_fd(int dirfd, const char *to, CopyFlags copy_flags) {
         if (!S_ISDIR(st.st_mode))
                 return -ENOTDIR;
 
-        return fd_copy_directory(dirfd, NULL, &st, AT_FDCWD, to, st.st_dev, UID_INVALID, GID_INVALID, copy_flags);
+        return fd_copy_directory(dirfd, NULL, &st, AT_FDCWD, to, st.st_dev, COPY_DEPTH_MAX, UID_INVALID, GID_INVALID, copy_flags);
 }
 
 int copy_directory(const char *from, const char *to, CopyFlags copy_flags) {
@@ -657,7 +668,7 @@ int copy_directory(const char *from, const char *to, CopyFlags copy_flags) {
         if (!S_ISDIR(st.st_mode))
                 return -ENOTDIR;
 
-        return fd_copy_directory(AT_FDCWD, from, &st, AT_FDCWD, to, st.st_dev, UID_INVALID, GID_INVALID, copy_flags);
+        return fd_copy_directory(AT_FDCWD, from, &st, AT_FDCWD, to, st.st_dev, COPY_DEPTH_MAX, UID_INVALID, GID_INVALID, copy_flags);
 }
 
 int copy_file_fd(const char *from, int fdt, CopyFlags copy_flags) {