| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Aug 2023 07:27:36 -0700
From: Christoph Hellwig <hch@...radead.org>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org,
linux-block@...r.kernel.org, Christoph Hellwig <hch@...radead.org>,
Alasdair Kergon <agk@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Anna Schumaker <anna@...nel.org>, Chao Yu <chao@...nel.org>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
"Darrick J. Wong" <djwong@...nel.org>,
Dave Kleikamp <shaggy@...nel.org>,
David Sterba <dsterba@...e.com>, dm-devel@...hat.com,
drbd-dev@...ts.linbit.com, Gao Xiang <xiang@...nel.org>,
Jack Wang <jinpu.wang@...os.com>,
Jaegeuk Kim <jaegeuk@...nel.org>,
jfs-discussion@...ts.sourceforge.net,
Joern Engel <joern@...ybastard.org>,
Joseph Qi <joseph.qi@...ux.alibaba.com>,
Kent Overstreet <kent.overstreet@...il.com>,
linux-bcache@...r.kernel.org, linux-btrfs@...r.kernel.org,
linux-erofs@...ts.ozlabs.org, linux-ext4@...r.kernel.org,
linux-f2fs-devel@...ts.sourceforge.net, linux-mm@...ck.org,
linux-mtd@...ts.infradead.org, linux-nfs@...r.kernel.org,
linux-nilfs@...r.kernel.org, linux-nvme@...ts.infradead.org,
linux-pm@...r.kernel.org, linux-raid@...r.kernel.org,
linux-s390@...r.kernel.org, linux-scsi@...r.kernel.org,
linux-xfs@...r.kernel.org,
"Md. Haris Iqbal" <haris.iqbal@...os.com>,
Mike Snitzer <snitzer@...nel.org>,
Minchan Kim <minchan@...nel.org>, ocfs2-devel@....oracle.com,
reiserfs-devel@...r.kernel.org,
Sergey Senozhatsky <senozhatsky@...omium.org>,
Song Liu <song@...nel.org>,
Sven Schnelle <svens@...ux.ibm.com>,
target-devel@...r.kernel.org, Ted Tso <tytso@....edu>,
Trond Myklebust <trond.myklebust@...merspace.com>,
xen-devel@...ts.xenproject.org, Jens Axboe <axboe@...nel.dk>,
Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v2 0/29] block: Make blkdev_get_by_*() return handle
On Sat, Aug 26, 2023 at 03:28:52AM +0100, Al Viro wrote:
> I mean, look at claim_swapfile() for example:
> p->bdev = blkdev_get_by_dev(inode->i_rdev,
> FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
> if (IS_ERR(p->bdev)) {
> error = PTR_ERR(p->bdev);
> p->bdev = NULL;
> return error;
> }
> p->old_block_size = block_size(p->bdev);
> error = set_blocksize(p->bdev, PAGE_SIZE);
> if (error < 0)
> return error;
> we already have the file opened, and we keep it opened all the way until
> the swapoff(2); here we have noticed that it's a block device and we
> * open the fucker again (by device number), this time claiming
> it with our swap_info_struct as holder, to be closed at swapoff(2) time
> (just before we close the file)
Note that some drivers look at FMODE_EXCL/BLK_OPEN_EXCL in ->open.
These are probably bogus and maybe we want to kill them, but that will
need an audit first.
> BTW, what happens if two threads call ioctl(fd, BLKBSZSET, &n)
> for the same descriptor that happens to have been opened O_EXCL?
> Without O_EXCL they would've been unable to claim the sucker at the same
> time - the holder we are using is the address of a function argument,
> i.e. something that points to kernel stack of the caller. Those would
> conflict and we either get set_blocksize() calls fully serialized, or
> one of the callers would eat -EBUSY. Not so in "opened with O_EXCL"
> case - they can very well overlap and IIRC set_blocksize() does *not*
> expect that kind of crap... It's all under CAP_SYS_ADMIN, so it's not
> as if it was a meaningful security hole anyway, but it does look fishy.
The user get to keep the pieces.. BLKBSZSET is kinda bogus anyway
as the soft blocksize only matters for buffer_head-like I/O, and
there only for file systems. Not idea why anyone would set it manually.
Powered by blists - more mailing lists