lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 30 Aug 2020 21:46:33 -0400
From:   Rich Felker <dalias@...c.org>
To:     Jann Horn <jannh@...gle.com>
Cc:     linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        kernel list <linux-kernel@...r.kernel.org>,
        Linux API <linux-api@...r.kernel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>
Subject: Re: [RESEND PATCH] vfs: add RWF_NOAPPEND flag for pwritev2

On Mon, Aug 31, 2020 at 03:15:04AM +0200, Jann Horn wrote:
> On Sun, Aug 30, 2020 at 10:00 PM Rich Felker <dalias@...c.org> wrote:
> > On Sun, Aug 30, 2020 at 09:02:31PM +0200, Jann Horn wrote:
> > > On Sun, Aug 30, 2020 at 8:43 PM Rich Felker <dalias@...c.org> wrote:
> > > > On Sun, Aug 30, 2020 at 08:31:36PM +0200, Jann Horn wrote:
> > > > > On Sun, Aug 30, 2020 at 6:36 PM Rich Felker <dalias@...c.org> wrote:
> > > > > > So just checking IS_APPEND in the code paths used by
> > > > > > pwritev2 (and erroring out rather than silently writing output at the
> > > > > > wrong place) should suffice to preserve all existing security
> > > > > > invariants.
> > > > >
> > > > > Makes sense.
> > > >
> > > > There are 3 places where kiocb_set_rw_flags is called with flags that
> > > > seem to be controlled by userspace: aio.c, io_uring.c, and
> > > > read_write.c. Presumably each needs to EPERM out on RWF_NOAPPEND if
> > > > the underlying inode is S_APPEND. To avoid repeating the same logic in
> > > > an error-prone way, should kiocb_set_rw_flags's signature be updated
> > > > to take the filp so that it can obtain the inode and check IS_APPEND
> > > > before accepting RWF_NOAPPEND? It's inline so this should avoid
> > > > actually loading anything except in the codepath where
> > > > flags&RWF_NOAPPEND is nonzero.
> > >
> > > You can get the file pointer from ki->ki_filp. See the RWF_NOWAIT
> > > branch of kiocb_set_rw_flags().
> >
> > Thanks. I should have looked for that. OK, so a fixup like this on top
> > of the existing patch?
> >
> > diff --git a/include/linux/fs.h b/include/linux/fs.h
> > index 473289bff4c6..674131e8d139 100644
> > --- a/include/linux/fs.h
> > +++ b/include/linux/fs.h
> > @@ -3457,8 +3457,11 @@ static inline int kiocb_set_rw_flags(struct kiocb *ki, rwf_t flags)
> >                 ki->ki_flags |= (IOCB_DSYNC | IOCB_SYNC);
> >         if (flags & RWF_APPEND)
> >                 ki->ki_flags |= IOCB_APPEND;
> > -       if (flags & RWF_NOAPPEND)
> > +       if (flags & RWF_NOAPPEND) {
> > +               if (IS_APPEND(file_inode(ki->ki_filp)))
> > +                       return -EPERM;
> >                 ki->ki_flags &= ~IOCB_APPEND;
> > +       }
> >         return 0;
> >  }
> >
> > If this is good I'll submit a v2 as the above squashed with the
> > original patch.
> 
> Looks good to me.

Actually it's not quite. I think it should be:

	if ((flags & RWF_NOAPPEND) & (ki->ki_flags & IOCB_APPEND)) {
		if (IS_APPEND(file_inode(ki->ki_filp)))
			return -EPERM;
		ki->ki_flags &= ~IOCB_APPEND;
	}

i.e. don't refuse RWF_NOAPPEND on a file that was already successfully
opened without O_APPEND that only subsequently got chattr +a. The
permission check should only be done if it's overriding the default
action for how the file is open.

This is actually related to the fcntl corner case mentioned before.

Are you ok with this change? If so I'll go ahead and prepare a v2.

Rich

Powered by blists - more mailing lists