lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20181008165009.21890-1-a.fatoum@pengutronix.de>
Date:   Mon,  8 Oct 2018 18:50:10 +0200
From:   Ahmad Fatoum <a.fatoum@...gutronix.de>
To:     Andrew Morton <akpm@...ux-foundation.org>,
        Alexey Dobriyan <adobriyan@...il.com>
Cc:     David Howells <dhowells@...hat.com>,
        Al Viro <viro@...iv.linux.org.uk>,
        Florian Westphal <fw@...len.de>, linux-kernel@...r.kernel.org,
        kernel@...gutronix.de, Ahmad Fatoum <a.fatoum@...gutronix.de>
Subject: [PATCH RFC] proc: Don't retain negative dentries

The referenced commit 1da4d377f94 ("proc: revalidate misc dentries")
caused following userspace code to access a stale /proc/net/dev
after the network namespace was changed:

    system("ip netns add testns");

    printf("default:\n"); {
        int devinfd = open("/proc/net/dev", O_RDONLY);
        sendfile(STDOUT_FILENO, devinfd, NULL, 4096);
        close(devinfd);
    }

    printf("testns:\n"); {
        int ns_fd = open("/var/run/netns/testns", O_RDONLY);
        setns(ns_fd, 0);

        int devinfd = open("/proc/net/dev", O_RDONLY);
        sendfile(STDOUT_FILENO, devinfd, NULL, 4096);
        close(devinfd);

        close(ns_fd);
    }

Despite switching the network namespace, the read access from the
newly opened file gave back what the very first read in the default
network namespace returned.

This doesn't occur if /proc/net/dev is opened within a new process,
which might explain why this wasn't noticed previously.

As I don't see a reason why one would keep negative dentries for procfs
at all, amend the code not to do this anymore.

Fixes: 1da4d377f94 ("proc: Don't retain negative dentries")
Signed-off-by: Ahmad Fatoum <a.fatoum@...gutronix.de>
---

Notes:
    Alexey, could you check this doesn't lead to a regression
    concerning the bug you fixed?

 fs/proc/generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/proc/generic.c b/fs/proc/generic.c
index 8ae109429a88..412b3c52d5d5 100644
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -231,7 +231,7 @@ static int proc_misc_d_revalidate(struct dentry *dentry, unsigned int flags)
 
 static int proc_misc_d_delete(const struct dentry *dentry)
 {
-	return atomic_read(&PDE(d_inode(dentry))->in_use) < 0;
+	return 1; // Don't retain negative dentries
 }
 
 static const struct dentry_operations proc_misc_dentry_ops = {
-- 
2.19.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ