lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK8P3a2ANKoV1DhJMUuAr0qKW7HgRvz9LM2yLkSVWP9Rn-LUhA@mail.gmail.com>
Date:   Thu, 2 Jan 2020 10:16:21 +0100
From:   Arnd Bergmann <arnd@...db.de>
To:     Christoph Hellwig <hch@...radead.org>
Cc:     "Darrick J . Wong" <darrick.wong@...cle.com>,
        linux-xfs <linux-xfs@...r.kernel.org>,
        y2038 Mailman List <y2038@...ts.linaro.org>,
        Brian Foster <bfoster@...hat.com>,
        Dave Chinner <dchinner@...hat.com>,
        Allison Collins <allison.henderson@...cle.com>,
        Jan Kara <jack@...e.cz>, Eric Sandeen <sandeen@...deen.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/3] xfs: disallow broken ioctls without compat-32-bit-time

On Tue, Dec 24, 2019 at 9:45 AM Christoph Hellwig <hch@...radead.org> wrote:
> On Wed, Dec 18, 2019 at 05:39:29PM +0100, Arnd Bergmann wrote:
> > +/* disallow y2038-unsafe ioctls with CONFIG_COMPAT_32BIT_TIME=n */
> > +static bool xfs_have_compat_bstat_time32(unsigned int cmd)
> > +{
> > +     if (IS_ENABLED(CONFIG_COMPAT_32BIT_TIME))
> > +             return true;
> > +
> > +     if (IS_ENABLED(CONFIG_64BIT) && !in_compat_syscall())
> > +             return true;
> > +
> > +     if (cmd == XFS_IOC_FSBULKSTAT_SINGLE ||
> > +         cmd == XFS_IOC_FSBULKSTAT ||
> > +         cmd == XFS_IOC_SWAPEXT)
> > +             return false;
> > +
> > +     return true;
>
> I think the check for the individual command belongs into the callers,
> which laves us with:
>
> static inline bool have_time32(void)
> {
>         return IS_ENABLED(CONFIG_COMPAT_32BIT_TIME) ||
>                 (IS_ENABLED(CONFIG_64BIT) && !in_compat_syscall());
> }
>
> and that looks like it should be in a generic helper somewhere.

Yes, makes sense.

I was going for something XFS specific here because XFS is unique in the
kernel in completely deprecating a set of ioctl commands (replacing
the old interface with a v5) rather than allowing the user space to be
compiled with 64-bit time_t.

If we add a global helper for this, I'd be tempted to also stick a
WARN_RATELIMIT() in there to give users a better indication of
what broke after disabling CONFIG_COMPAT_32BIT_TIME.

The same warning would make sense in the system calls, but then
we have to decide which combinations we want to allow being
configured at runtime or compile-time.

a) unmodified behavior
b) just warn but allow
c) no warning but disallow
d) warn and disallow

> >       if (XFS_FORCED_SHUTDOWN(mp))
> >               return -EIO;
> >
> > @@ -1815,6 +1836,11 @@ xfs_ioc_swapext(
> >       struct fd       f, tmp;
> >       int             error = 0;
> >
> > +     if (!xfs_have_compat_bstat_time32(XFS_IOC_SWAPEXT)) {
> > +             error = -EINVAL;
> > +             goto out;
> > +     }
>
> And for this one we just have one cmd anyway.  But I actually still
> disagree with the old_time check for this one entirely, as voiced on
> one of the last iterations.  For swapext the time stamp really is
> only used as a generation counter, so overflows are entirely harmless.

Sorry I missed that comment earlier. I've had a fresh look now, but
I think we still need to deprecate XFS_IOC_SWAPEXT and add a
v5 version of it, since the comparison will fail as soon as the range
of the inode timestamps is extended beyond 2038, otherwise the
comparison will always be false, or require comparing the truncated
time values which would add yet another representation.

       Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ