| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202007060830.0FE753B@keescook>
Date: Mon, 6 Jul 2020 08:34:06 -0700
From: Kees Cook <keescook@...omium.org>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: linux-kernel@...r.kernel.org, Sargun Dhillon <sargun@...gun.me>,
Christian Brauner <christian@...uner.io>,
Tycho Andersen <tycho@...ho.ws>,
David Laight <David.Laight@...LAB.COM>,
Christoph Hellwig <hch@....de>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Aleksa Sarai <cyphar@...har.com>,
Matt Denton <mpdenton@...gle.com>,
Jann Horn <jannh@...gle.com>, Chris Palmer <palmer@...gle.com>,
Robert Sesek <rsesek@...gle.com>,
Giuseppe Scrivano <gscrivan@...hat.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Andy Lutomirski <luto@...capital.net>,
Will Drewry <wad@...omium.org>, Shuah Khan <shuah@...nel.org>,
netdev@...r.kernel.org, containers@...ts.linux-foundation.org,
linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v5 4/7] pidfd: Replace open-coded partial
fd_install_received()
On Mon, Jul 06, 2020 at 03:07:13PM +0200, Christian Brauner wrote:
> On Wed, Jun 17, 2020 at 03:03:24PM -0700, Kees Cook wrote:
> > The sock counting (sock_update_netprioidx() and sock_update_classid()) was
> > missing from pidfd's implementation of received fd installation. Replace
> > the open-coded version with a call to the new fd_install_received()
> > helper.
> >
> > Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > ---
> > kernel/pid.c | 11 +----------
> > 1 file changed, 1 insertion(+), 10 deletions(-)
> >
> > diff --git a/kernel/pid.c b/kernel/pid.c
> > index f1496b757162..24924ec5df0e 100644
> > --- a/kernel/pid.c
> > +++ b/kernel/pid.c
> > @@ -635,18 +635,9 @@ static int pidfd_getfd(struct pid *pid, int fd)
> > if (IS_ERR(file))
> > return PTR_ERR(file);
> >
> > - ret = security_file_receive(file);
> > - if (ret) {
> > - fput(file);
> > - return ret;
> > - }
> > -
> > - ret = get_unused_fd_flags(O_CLOEXEC);
> > + ret = fd_install_received(file, O_CLOEXEC);
> > if (ret < 0)
> > fput(file);
> > - else
> > - fd_install(ret, file);
>
> So someone just sent a fix for pidfd_getfd() that was based on the
> changes done here.
Hi! Ah yes, that didn't get CCed to me. I'll go reply.
> I've been on vacation so didn't have a change to review this series and
> I see it's already in linux-next. This introduces a memory leak and
> actually proves a point I tried to stress when adding this helper:
> fd_install_received() in contrast to fd_install() does _not_ consume a
> reference because it takes one before it calls into fd_install(). That
> means, you need an unconditional fput() here both in the failure and
> error path.
Yup, this was a mistake in my refactoring of the pidfs changes.
> I strongly suggest though that we simply align the behavior between
> fd_install() and fd_install_received() and have the latter simply
> consume a reference when it succeeds! Imho, this bug proves that I was
> right to insist on this before. ;)
I still don't agree: it radically complicates the SCM_RIGHTS and seccomp
cases. The primary difference is that fd_install() cannot fail, and it
was optimized for this situation. The other file-related helpers that
can fail do not consume the reference, so this is in keeping with those
as well.
--
Kees Cook
Powered by blists - more mailing lists