lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 05 May 2017 15:04:33 -0500
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     Andy Lutomirski <luto@...nel.org>
Cc:     Al Viro <viro@...iv.linux.org.uk>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Jann Horn <jannh@...gle.com>,
        Linux API <linux-api@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        David Drysdale <drysdale@...gle.com>
Subject: Re: new ...at() flag: AT_NO_JUMPS

Andy Lutomirski <luto@...nel.org> writes:

> On Thu, May 4, 2017 at 9:39 PM, Al Viro <viro@...iv.linux.org.uk> wrote:
>> On Thu, May 04, 2017 at 08:46:49PM -0700, Linus Torvalds wrote:
>>> On Thu, May 4, 2017 at 7:47 PM, Jann Horn <jannh@...gle.com> wrote:
>>> >
>>> > Thread 1 starts an AT_BENEATH path walk using an O_PATH fd
>>> > pointing to /srv/www/example.org/foo; the path given to the syscall is
>>> > "bar/../../../../etc/passwd". The path walk enters the "bar" directory.
>>> > Thread 2 moves /srv/www/example.org/foo/bar to
>>> > /srv/www/example.org/bar.
>>> > Thread 1 processes the rest of the path ("../../../../etc/passwd"), never
>>> > hitting /srv/www/example.org/foo in the process.
>>> >
>>> > I'm not really familiar with the VFS internals, but from a coarse look
>>> > at the patch, it seems like it wouldn't block this?
>>>
>>> I think you're right.
>>>
>>> I guess it would be safe for the RCU case due to the sequence number
>>> check, but not the non-RCU case.
>>
>>         Yes and no...  FWIW, to exclude that it would suffice to have
>> mount --rbind /src/www/example.org/foo /srv/www/example.org/foo done first.
>> Then this kind of race will end up with -ENOENT due to path_connected()
>> logics in follow_dotdot_rcu()/follow_dotdot().  I'm not sure about the
>> intended applications, though - is that thing supposed to be used along with
>> some horror like seccomp, or...?
>
> How hard would it be for the kernel to prevent this on its own?
> Asking users to do the mount --rbind seems like it's asking for users
> to forget to do it.

The logic of path_connected checks every time you follow .. if the
parent directory you find is below your starting directory.
Mostly path_connected is optimized by noticing non-bind mounts
and doing nothing.  In this case we would need the is_subdir check
every time we follow ..

So it might just be cheaper not to follow ..

Which leads to something else we need to be careful with.

Suppose for whatever insane reason . is on a directory that has
another directory mounted on top.  Then following "some_dir/.."
would result in a different directory than we were on.

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ