[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191224084514.GC1739@infradead.org>
Date: Tue, 24 Dec 2019 00:45:14 -0800
From: Christoph Hellwig <hch@...radead.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: "Darrick J . Wong" <darrick.wong@...cle.com>,
linux-xfs@...r.kernel.org, y2038@...ts.linaro.org,
Brian Foster <bfoster@...hat.com>,
Dave Chinner <dchinner@...hat.com>,
Allison Collins <allison.henderson@...cle.com>,
Jan Kara <jack@...e.cz>, Eric Sandeen <sandeen@...deen.net>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] xfs: disallow broken ioctls without
compat-32-bit-time
On Wed, Dec 18, 2019 at 05:39:29PM +0100, Arnd Bergmann wrote:
> +/* disallow y2038-unsafe ioctls with CONFIG_COMPAT_32BIT_TIME=n */
> +static bool xfs_have_compat_bstat_time32(unsigned int cmd)
> +{
> + if (IS_ENABLED(CONFIG_COMPAT_32BIT_TIME))
> + return true;
> +
> + if (IS_ENABLED(CONFIG_64BIT) && !in_compat_syscall())
> + return true;
> +
> + if (cmd == XFS_IOC_FSBULKSTAT_SINGLE ||
> + cmd == XFS_IOC_FSBULKSTAT ||
> + cmd == XFS_IOC_SWAPEXT)
> + return false;
> +
> + return true;
I think the check for the individual command belongs into the callers,
which laves us with:
static inline bool have_time32(void)
{
return IS_ENABLED(CONFIG_COMPAT_32BIT_TIME) ||
(IS_ENABLED(CONFIG_64BIT) && !in_compat_syscall());
}
and that looks like it should be in a generic helper somewhere.
> STATIC int
> xfs_ioc_fsbulkstat(
> xfs_mount_t *mp,
> @@ -637,6 +655,9 @@ xfs_ioc_fsbulkstat(
> if (!capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> + if (!xfs_have_compat_bstat_time32(cmd))
> + return -EINVAL;
Here we can simply check for cmd != XFS_IOC_FSINUMBERS before the call.
> if (XFS_FORCED_SHUTDOWN(mp))
> return -EIO;
>
> @@ -1815,6 +1836,11 @@ xfs_ioc_swapext(
> struct fd f, tmp;
> int error = 0;
>
> + if (!xfs_have_compat_bstat_time32(XFS_IOC_SWAPEXT)) {
> + error = -EINVAL;
> + goto out;
> + }
And for this one we just have one cmd anyway. But I actually still
disagree with the old_time check for this one entirely, as voiced on
one of the last iterations. For swapext the time stamp really is
only used as a generation counter, so overflows are entirely harmless.
Powered by blists - more mailing lists