lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Jul 2018 17:51:12 +0100
From:   Al Viro <viro@...IV.linux.org.uk>
To:     Jann Horn <jannh@...gle.com>
Cc:     Richard Henderson <rth@...ddle.net>,
        Ivan Kokshaysky <ink@...assic.park.msu.ru>,
        Matt Turner <mattst88@...il.com>,
        linux-fsdevel@...r.kernel.org,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Theodore Ts'o <tytso@....edu>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        linux-alpha@...r.kernel.org, linux-kernel@...r.kernel.org,
        Dave Chinner <david@...morbit.com>, Pavel Machek <pavel@....cz>
Subject: Re: [PATCH v2] fs: don't let getdents return bogus names

On Tue, Jul 31, 2018 at 06:10:27PM +0200, Jann Horn wrote:
> +/*
> + * Most filesystems don't filter out bogus directory entry names, and userspace
> + * can get very confused by such names. Behave as if a low-level IO error had
> + * happened while reading directory entries.
> + */
> +bool bogus_dirent_name(int *errp, const char *name, int namlen,
> +		       const char *caller)
> +{
> +	if (namlen == 0) {
> +		pr_err_once("%s: filesystem returned bogus empty name\n",
> +			    caller);
> +		*errp = -EUCLEAN;
> +		return true;
> +	}
> +	if (memchr(name, '/', namlen)) {
> +		pr_err_once("%s: filesystem returned bogus name '%*pEhp' (contains slash)\n",
> +			    caller, namlen, name);
> +		*errp = -EUCLEAN;
> +		return true;
> +	}
> +	return false;
> +}

> +	if (bogus_dirent_name(&buf->result, name, namlen, __func__))
> +		return -EUCLEAN;

These calling conventions st^Ware rather suboptimal.  First of all,
	* none of ->actor() callbacks will ever get called directly.
	* there are only 4 callers.  3 of them (all in fs.h) are
of the form return ....->actor(...) == 0;  The fourth is
        return orig_ctx->actor(orig_ctx, name, namelen, offset, ino, d_type);
in ovl_fill_real(), which itself is an ->actor() callback.

So all these "return -E..." in the instances are completely pointless;
we should just turn filldir_t into pointer-to-function-returning-bool
and get rid of that boilerplate, rather than adding more to it.

Furthermore, who the hell cares which callback has stepped into it?
"The first time it happened from getdents(2) in a 32bit process and
that's all you'll ever get out of me" seems to be less than helpful...

And frankly, I would prefer
	buf->result = check_dirent_name(name, namelen);
	if (unlikely(buf->result))
		return false;
making that thing return -EUCLEAN or 0.  Quite possibly - inlining it
as well...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ