lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240405102157.mmrralt5iohc2pz6@quack3>
Date: Fri, 5 Apr 2024 12:21:57 +0200
From: Jan Kara <jack@...e.cz>
To: Kees Cook <keescook@...omium.org>
Cc: Jan Kara <jack@...e.cz>, Chuck Lever <chuck.lever@...cle.com>,
	"Gustavo A . R . Silva" <gustavoars@...nel.org>,
	Christian Brauner <brauner@...nel.org>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Jeff Layton <jlayton@...nel.org>,
	Amir Goldstein <amir73il@...il.com>, linux-fsdevel@...r.kernel.org,
	linux-nfs@...r.kernel.org, linux-hardening@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fs: Set file_handle::handle_bytes before referencing
 file_handle::f_handle

On Thu 04-04-24 14:12:15, Kees Cook wrote:
> Since __counted_by(handle_bytes) was added to struct file_handle, we need
> to explicitly set it in the one place it wasn't yet happening prior to
> accessing the flex array "f_handle". For robustness also check for a
> negative value for handle_bytes, which is possible for an "int", but
> nothing appears to set.
> 
> Fixes: 1b43c4629756 ("fs: Annotate struct file_handle with __counted_by() and use struct_size()")
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> Cc: Jan Kara <jack@...e.cz>
> Cc: Chuck Lever <chuck.lever@...cle.com>
> Cc: Gustavo A. R. Silva <gustavoars@...nel.org>
> Cc: Christian Brauner <brauner@...nel.org>
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Jeff Layton <jlayton@...nel.org>
> Cc: Amir Goldstein <amir73il@...il.com>
> Cc: linux-fsdevel@...r.kernel.org
> Cc: linux-nfs@...r.kernel.org
> Cc: linux-hardening@...r.kernel.org
>  v2: more bounds checking, add comments, dropped reviews since logic changed
>  v1: https://lore.kernel.org/all/20240403215358.work.365-kees@kernel.org/
> ---
>  fs/fhandle.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/fhandle.c b/fs/fhandle.c
> index 8a7f86c2139a..854f866eaad2 100644
> --- a/fs/fhandle.c
> +++ b/fs/fhandle.c
> @@ -40,6 +40,11 @@ static long do_sys_name_to_handle(const struct path *path,
>  			 GFP_KERNEL);
>  	if (!handle)
>  		return -ENOMEM;
> +	/*
> +	 * Since handle->f_handle is about to be written, make sure the
> +	 * associated __counted_by(handle_bytes) variable is correct.
> +	 */
> +	handle->handle_bytes = f_handle.handle_bytes;
>  
>  	/* convert handle size to multiple of sizeof(u32) */
>  	handle_dwords = f_handle.handle_bytes >> 2;
> @@ -51,8 +56,8 @@ static long do_sys_name_to_handle(const struct path *path,
>  	handle->handle_type = retval;
>  	/* convert handle size to bytes */
>  	handle_bytes = handle_dwords * sizeof(u32);
> -	handle->handle_bytes = handle_bytes;
> -	if ((handle->handle_bytes > f_handle.handle_bytes) ||
> +	/* check if handle_bytes would have exceeded the allocation */
> +	if ((handle_bytes < 0) || (handle_bytes > f_handle.handle_bytes) ||

This is broken. Let me explain: Userspace passes in struct file_handle
(ufh) and says how many bytes it has reserved for the variable length
contents in ufh->handle_bytes. We call exportfs_encode_fh() to create
the file handle. If it fits into the provided space, the function returns
in handle_dwords how many uints it has actually stored. If the handle
didn't fit, handle_dword contains number of uints we'd need in the variable
length part to be able to fit the handle in.

Now your patch destroys this behavior by storing 0 to handle_bytes in case
the handle didn't fit *before* the returned value is actually stored to a
struct copied to userspace.

Also the handle_bytes < 0 check is IMHO pointless and confusing. If some
filesystem is returning bogus size of the file handle, we have a big
problem anyway so I don't think checking like this brings much. If you want
to add some paranoia what would make some sense is: Make handle_bytes uint
and do:

	if (WARN_ON_ONCE(handle_bytes > MAX_HANDLE_SZ)) {
		handle_bytes = 0;
		retval = -EINVAL;
	}

But as a separate patch please, because it is unrelated to this __counted_by
fixup.

								Honza

>  	    (retval == FILEID_INVALID) || (retval < 0)) {
>  		/* As per old exportfs_encode_fh documentation
>  		 * we could return ENOSPC to indicate overflow
> @@ -68,6 +73,8 @@ static long do_sys_name_to_handle(const struct path *path,
>  		handle_bytes = 0;
>  	} else
>  		retval = 0;
> +	/* the "valid" number of bytes may fewer than originally allocated */
> +	handle->handle_bytes = handle_bytes;
>  	/* copy the mount id */
>  	if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) ||
>  	    copy_to_user(ufh, handle,
> -- 
> 2.34.1
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ