lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 4 Aug 2020 21:08:06 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     Aleksa Sarai <cyphar@...har.com>
Cc:     Lokesh Gidra <lokeshgidra@...gle.com>, viro@...iv.linux.org.uk,
        stephen.smalley.work@...il.com, casey@...aufler-ca.com,
        jmorris@...ei.org, kaleshsingh@...gle.com, dancol@...col.org,
        surenb@...gle.com, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, nnk@...gle.com, jeffv@...gle.com,
        calin@...gle.com, kernel-team@...roid.com, yanfei.xu@...driver.com,
        syzbot+75867c44841cb6373570@...kaller.appspotmail.com
Subject: Re: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and
 remove O_CLOEXEC

On Wed, Aug 05, 2020 at 01:47:58PM +1000, Aleksa Sarai wrote:
> On 2020-08-04, Lokesh Gidra <lokeshgidra@...gle.com> wrote:
> > when get_unused_fd_flags returns error, ctx will be freed by
> > userfaultfd's release function, which is indirectly called by fput().
> > Also, if anon_inode_getfile_secure() returns an error, then
> > userfaultfd_ctx_put() is called, which calls mmdrop() and frees ctx.
> > 
> > Also, the O_CLOEXEC was inadvertently added to the call to
> > get_unused_fd_flags() [1].
> 
> I disagree that it is "wrong" to do O_CLOEXEC-by-default (after all,
> it's trivial to disable O_CLOEXEC, but it's non-trivial to enable it on
> an existing file descriptor because it's possible for another thread to
> exec() before you set the flag). Several new syscalls and fd-returning
> facilities are O_CLOEXEC-by-default now (the most obvious being pidfds
> and seccomp notifier fds).

Sure, O_CLOEXEC *should* be the default, but this is an existing syscall so it
has to keep the existing behavior.

> At the very least there should be a new flag added that sets O_CLOEXEC.

There already is one (but these patches broke it).

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ