lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <f6238254-35bd-7e97-5b27-21050c745874@oracle.com>
Date:   Wed, 1 Sep 2021 09:19:32 -0700
From:   Stephen Brennan <stephen.s.brennan@...cle.com>
To:     Al Viro <viro@...iv.linux.org.uk>,
        Dmitry Kadashev <dkadashev@...il.com>
Cc:     Jens Axboe <axboe@...nel.dk>,
        Christoph Hellwig <hch@...radead.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] namei: get rid of unused filename_parentat()

On 9/1/21 8:35 AM, Al Viro wrote:
> On Wed, Sep 01, 2021 at 03:30:56PM +0000, Al Viro wrote:
>> On Wed, Sep 01, 2021 at 10:00:40PM +0700, Dmitry Kadashev wrote:
>>> After the switch of kern_path_locked() to __filename_parentat() (to
>>> address use after free bug) nothing is using filename_parentat(). Also,
>>> filename_parentat() is inherently buggy: the "last" output arg
>>> always point to freed memory.
>>>
>>> Drop filename_parentat() and rename __filename_parentat() to
>>> filename_parentat().
>>
>> I'd rather fold that into previous patch.
>>
>> And it might be better to fold filename_create() into its 2 callers
>> and rename __filename_create() as well.
>>
>> Let me poke around a bit...
> 
> BTW, if you look at the only caller of filename_lookup() outside of
> fs/namei.c, you'll see this:
>          f->refcnt++; /* filename_lookup() drops our ref. */
> 	ret = filename_lookup(param->dirfd, f, flags, _path, NULL);
> IOW, that thing would be better off with calling the current
> __filename_lookup().
> 
> Might be better to rename filename_lookup to something different,
> turn __filename_lookup() into filename_lookup() and use _that_ in
> fs/fs_parser.c...

The value of Dimitry's original patch was that the calling convention 
(i.e. whether the function calls putname for you) is clear from the name 
of the function: __filename_lookup doesn't call putname, and 
filename_lookup() does.

I think what we're discovering is that maybe the double-underscore 
version isn't all that useful, and can be quite confusing (leading to 
refcount increments like we see here). It's highly unusual for a 
function that's not explicitly a destructor of some kind to drop a 
reference that was passed into it.

Could we just standardize all of these filename_xxx() methods to leave 
the filename reference alone? I see the following uses:

filename_create(): 2 users in fs/namei.c, trivial to change
filename_lookup(): 3 users in fs/namei.c, also trivial
filename_parentat(): only user was fixed in my earlier patch

The cost in each function is two additional lines, in return for some 
clarity about the calling conventions, rather than creating more confusion.

Stephen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ