lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 16 Jan 2014 23:59:25 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	linux-fsdevel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vfs: Don't leak a path when get_empty_filp in dentry_open

On Thu, Jan 16, 2014 at 03:45:38PM -0800, Eric W. Biederman wrote:
> 
> Normally in dentry_open the passed in path is placed on the new filp
> removing the caller from needing to worry about it.  In the rare case
> that we can not allocate a filp the path is not consumed.  None of the
> callers of dentry_open call path_put in their error handling when
> dentry_open fails so call path_put for them on error and keep everyone's
> error handling simple.

You are misreading that code.  _No_ path in dentry_open() drops that
sucker, no matter whether we succeed or fail.  do_dentry_open() grabs
an extra reference on success, so those fput() on other failure exits
just balance that.

The calling conventions are not "transfer the reference you held into
struct file, caller must drop on failure"; it's "clone the reference
into struct file; caller's reference remains in all cases".

IOW, you are looking for path_put() in error handling in callers, when
in fact it's on common paths (and quite often in callers of callers of
callers).  Makes life simpler, actually.  Try to convert it to your
variant of calling conventions and you'll see that callers become more
complex and brittle.  As it is, this patch is simply broken - you'll get
double path_put() out of it, not to mention the different treatment of
refcounts depending on the kind of failure exit that had been taken.

NAK.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ