| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 May 2020 23:06:37 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Jens Axboe <axboe@...nel.dk>
Cc: Max Kellermann <mk@...all.com>, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx
On Thu, May 07, 2020 at 02:53:30PM -0600, Jens Axboe wrote:
> I think the patch is correct as-is, I took a good look at how we're
> currently handling it. None of those three ops should fiddle with
> the fd at all, and all of them do forbid the use of fixed files (the
> descriptor table look-alikes), so that part is fine, too.
>
> There's some low hanging fruit around optimizing and improving it,
> I'm including an updated version below. Max, can you double check
> with your testing?
<looks>
Could you explain WTF is io_issue_sqe() doing in case of IORING_OP_CLOSE?
Specifically, what is the value of
req->close.fd = READ_ONCE(sqe->fd);
if (req->file->f_op == &io_uring_fops ||
req->close.fd == req->ctx->ring_fd)
return -EBADF;
in io_close_prep()? And what does happen if some joker does dup2()
of something with io_uring_fops into our slot right after that check?
Before the subsequent
ret = __close_fd_get_file(req->close.fd, &req->close.put_file);
that is.
Powered by blists - more mailing lists