| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87in8nsvxd.fsf@xmission.com>
Date: Wed, 18 Apr 2018 22:43:26 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Marcos Paulo de Souza <marcos.souza.org@...il.com>
Cc: linux-next@...r.kernel.org,
Christian Brauner <christian.brauner@...ntu.com>,
Mark Rutland <mark.rutland@....com>,
Ingo Molnar <mingo@...nel.org>,
Serge Hallyn <serge@...lyn.com>,
Seth Forshee <seth.forshee@...onical.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH -next] user_namespace: Replace gotos with return statements
Marcos Paulo de Souza <marcos.souza.org@...il.com> writes:
> Found while inspecting the code that handles the setgroups procfs
> file.
What perchance might be the advantage of introducing multiple exits
into proc_setgroups_write?
I strongly suspect that if you look at the generated code it will
be worse after your patch.
Eric
> Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@...il.com>
> ---
> Tested locally setting up a new userns, and setting setgroups as deny and allow,
> worked as before.
>
> kernel/user_namespace.c | 20 +++++++-------------
> 1 file changed, 7 insertions(+), 13 deletions(-)
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 246d4d4ce5c7..64a01254ac6b 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -1142,22 +1142,18 @@ ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
> struct user_namespace *ns = seq->private;
> char kbuf[8], *pos;
> bool setgroups_allowed;
> - ssize_t ret;
>
> /* Only allow a very narrow range of strings to be written */
> - ret = -EINVAL;
> if ((*ppos != 0) || (count >= sizeof(kbuf)))
> - goto out;
> + return -EINVAL;
>
> /* What was written? */
> - ret = -EFAULT;
> if (copy_from_user(kbuf, buf, count))
> - goto out;
> + return -EFAULT;
> kbuf[count] = '\0';
> pos = kbuf;
>
> /* What is being requested? */
> - ret = -EINVAL;
> if (strncmp(pos, "allow", 5) == 0) {
> pos += 5;
> setgroups_allowed = true;
> @@ -1167,14 +1163,13 @@ ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
> setgroups_allowed = false;
> }
> else
> - goto out;
> + return -EINVAL;
>
> /* Verify there is not trailing junk on the line */
> pos = skip_spaces(pos);
> if (*pos != '\0')
> - goto out;
> + return -EINVAL;
>
> - ret = -EPERM;
> mutex_lock(&userns_state_mutex);
> if (setgroups_allowed) {
> /* Enabling setgroups after setgroups has been disabled
> @@ -1194,12 +1189,11 @@ ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
>
> /* Report a successful write */
> *ppos = count;
> - ret = count;
> -out:
> - return ret;
> + return count;
> +
> out_unlock:
> mutex_unlock(&userns_state_mutex);
> - goto out;
> + return -EPERM;
> }
>
> bool userns_may_setgroups(const struct user_namespace *ns)
Powered by blists - more mailing lists