| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jul 2020 09:49:17 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Christoph Hellwig <hch@....de>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-raid@...r.kernel.org,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH 05/24] devtmpfs: open code ksys_chdir and ksys_chroot
On Tue, Jul 21, 2020 at 9:28 AM Christoph Hellwig <hch@....de> wrote:
>
> +
> + /* traverse into overmounted root and then chroot to it */
> + if (!kern_path("/..", LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path) &&
> + !inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR) &&
> + ns_capable(current_user_ns(), CAP_SYS_CHROOT) &&
> + !security_path_chroot(&path)) {
> + set_fs_pwd(current->fs, &path);
> + set_fs_root(current->fs, &path);
> + }
> + path_put(&path);
This looks wrong.
You're doing "path_put()" even if kern_path() didn't succeed.
As far as I can tell, that will either put some uninitialized garbage
and cause an oops, or put something that has already been released by
the failure path.
Maybe that doesn't happen in practice in this case, but it's still
very very wrong.
Plus you shouldn't have those kinds of insanely complex if-statements
in the first place. That was what caused the bug - trying to be
clever, instead of writing clear code.
I'm not liking how I'm finding fundamental mistakes in patches that
_should_ be trivial conversions with no semantic changes.
Linus
Powered by blists - more mailing lists