lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191224084514.GC1739@infradead.org>
Date:   Tue, 24 Dec 2019 00:45:14 -0800
From:   Christoph Hellwig <hch@...radead.org>
To:     Arnd Bergmann <arnd@...db.de>
Cc:     "Darrick J . Wong" <darrick.wong@...cle.com>,
        linux-xfs@...r.kernel.org, y2038@...ts.linaro.org,
        Brian Foster <bfoster@...hat.com>,
        Dave Chinner <dchinner@...hat.com>,
        Allison Collins <allison.henderson@...cle.com>,
        Jan Kara <jack@...e.cz>, Eric Sandeen <sandeen@...deen.net>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] xfs: disallow broken ioctls without
 compat-32-bit-time

On Wed, Dec 18, 2019 at 05:39:29PM +0100, Arnd Bergmann wrote:
> +/* disallow y2038-unsafe ioctls with CONFIG_COMPAT_32BIT_TIME=n */
> +static bool xfs_have_compat_bstat_time32(unsigned int cmd)
> +{
> +	if (IS_ENABLED(CONFIG_COMPAT_32BIT_TIME))
> +		return true;
> +
> +	if (IS_ENABLED(CONFIG_64BIT) && !in_compat_syscall())
> +		return true;
> +
> +	if (cmd == XFS_IOC_FSBULKSTAT_SINGLE ||
> +	    cmd == XFS_IOC_FSBULKSTAT ||
> +	    cmd == XFS_IOC_SWAPEXT)
> +		return false;
> +
> +	return true;

I think the check for the individual command belongs into the callers,
which laves us with:

static inline bool have_time32(void)
{
	return IS_ENABLED(CONFIG_COMPAT_32BIT_TIME) ||
		(IS_ENABLED(CONFIG_64BIT) && !in_compat_syscall());
}

and that looks like it should be in a generic helper somewhere.


>  STATIC int
>  xfs_ioc_fsbulkstat(
>  	xfs_mount_t		*mp,
> @@ -637,6 +655,9 @@ xfs_ioc_fsbulkstat(
>  	if (!capable(CAP_SYS_ADMIN))
>  		return -EPERM;
>  
> +	if (!xfs_have_compat_bstat_time32(cmd))
> +		return -EINVAL;

Here we can simply check for cmd != XFS_IOC_FSINUMBERS before the call.

>  	if (XFS_FORCED_SHUTDOWN(mp))
>  		return -EIO;
>  
> @@ -1815,6 +1836,11 @@ xfs_ioc_swapext(
>  	struct fd	f, tmp;
>  	int		error = 0;
>  
> +	if (!xfs_have_compat_bstat_time32(XFS_IOC_SWAPEXT)) {
> +		error = -EINVAL;
> +		goto out;
> +	}

And for this one we just have one cmd anyway.  But I actually still
disagree with the old_time check for this one entirely, as voiced on
one of the last iterations.  For swapext the time stamp really is
only used as a generation counter, so overflows are entirely harmless.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ