lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200507220637.GH23230@ZenIV.linux.org.uk>
Date:   Thu, 7 May 2020 23:06:37 +0100
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Jens Axboe <axboe@...nel.dk>
Cc:     Max Kellermann <mk@...all.com>, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx

On Thu, May 07, 2020 at 02:53:30PM -0600, Jens Axboe wrote:

> I think the patch is correct as-is, I took a good look at how we're
> currently handling it. None of those three ops should fiddle with
> the fd at all, and all of them do forbid the use of fixed files (the
> descriptor table look-alikes), so that part is fine, too.
> 
> There's some low hanging fruit around optimizing and improving it,
> I'm including an updated version below. Max, can you double check
> with your testing?

<looks>

Could you explain WTF is io_issue_sqe() doing in case of IORING_OP_CLOSE?
Specifically, what is the value of
        req->close.fd = READ_ONCE(sqe->fd);
        if (req->file->f_op == &io_uring_fops ||
            req->close.fd == req->ctx->ring_fd)
                return -EBADF;
in io_close_prep()?  And what does happen if some joker does dup2()
of something with io_uring_fops into our slot right after that check?
Before the subsequent
        ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
that is.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ