| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Oct 2014 17:57:24 -0700 From: Eric Rannaud <e@...ocritical.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andy Lutomirski <luto@...capital.net>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Alexander Viro <viro@...iv.linux.org.uk>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [RFC PATCH] fs: allow open(dir, O_TMPFILE|..., 0) with mode 0 On Thu, Oct 30, 2014 at 3:58 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Thu, Oct 30, 2014 at 3:48 PM, Linus Torvalds > <torvalds@...ux-foundation.org> wrote: >> >> Agreed. Will apply and add the stable cc. > > Ho humm. Thinking about this some more, I'm starting to wonder. Not > about this patch per se (open on a newly created file should indeed > succeed regardless), but about the horrible glibc behavior of screwing > up the third argument. > > If you want to do O_TMPFILE + linkat() (or some eventual future > flink()), the mode really matters. So this idiotic glibc behavior of > only forwarding the third argument if O_CREAT is set seems to be a > bug. Yes, there definitely is a glibc bug: a fix is being worked on and it looks like it will go in. The change replaces the test for O_CREAT by a test for either O_CREAT or O_TMPFILE. > Why the hell does glibc think it's a good idea to intersect system > call semantics? It's not a good idea - it's just stupid in the > extreme. And in this case it seems to actively breaks things. What Andy said: it's the most portable, because of the optional last argument, if you have a bunch of wrappers for open and openat written in C, which they do. Some of these wrappers are for statically checking that the mode argument is present when necessary (using __builtin_constant_p, __builtin_va_arg_pack, and friends), and to "fortify" the code against a malicious (?) injection of O_CREAT in a code path that didn't have it at compile time (where flags was a build constant). Other wrappers add O_LARGEFILE. One wrapper for openat checks that dirfd is a directory (no idea why, as the kernel does the same check -- without a race; maybe to try to guarantee ENOTDIR on some old kernel version? It's been here since 2005, when openat was added to glibc). -- Eric Rannaud <e@...ocritical.com> Nanocritical, CEO -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists