| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhQd3rL-13k0u39Krkdjp2_dtPfgEPxr=kawWUM9FjjOsw@mail.gmail.com>
Date: Wed, 9 Mar 2022 16:31:57 -0500
From: Paul Moore <paul@...l-moore.com>
To: Mickaël Salaün <mic@...ikod.net>,
Al Viro <viro@...iv.linux.org.uk>
Cc: Christian Brauner <brauner@...nel.org>,
"Darrick J . Wong" <djwong@...nel.org>,
Eric Paris <eparis@...isplace.org>,
James Morris <jmorris@...ei.org>,
Kentaro Takeda <takedakn@...data.co.jp>,
Miklos Szeredi <miklos@...redi.hu>,
"Serge E . Hallyn" <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Steve French <sfrench@...ba.org>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Mickaël Salaün <mic@...ux.microsoft.com>,
selinux@...r.kernel.org, Casey Schaufler <casey@...aufler-ca.com>,
John Johansen <john.johansen@...onical.com>
Subject: Re: [PATCH v1] fs: Fix inconsistent f_mode
On Tue, Mar 1, 2022 at 5:15 AM Mickaël Salaün <mic@...ikod.net> wrote:
> On 01/03/2022 10:22, Christian Brauner wrote:
> > On Mon, Feb 28, 2022 at 10:59:35PM +0100, Mickaël Salaün wrote:
> >> From: Mickaël Salaün <mic@...ux.microsoft.com>
> >>
> >> While transitionning to ACC_MODE() with commit 5300990c0370 ("Sanitize
> >> f_flags helpers") and then fixing it with commit 6d125529c6cb ("Fix
> >> ACC_MODE() for real"), we lost an open flags consistency check. Opening
> >> a file with O_WRONLY | O_RDWR leads to an f_flags containing MAY_READ |
> >> MAY_WRITE (thanks to the ACC_MODE() helper) and an empty f_mode.
> >> Indeed, the OPEN_FMODE() helper transforms 3 (an incorrect value) to 0.
> >>
> >> Fortunately, vfs_read() and vfs_write() both check for FMODE_READ, or
> >> respectively FMODE_WRITE, and return an EBADF error if it is absent.
> >> Before commit 5300990c0370 ("Sanitize f_flags helpers"), opening a file
> >> with O_WRONLY | O_RDWR returned an EINVAL error. Let's restore this safe
> >> behavior.
> >
> > That specific part seems a bit risky at first glance. Given that the
> > patch referenced is from 2009 this means we've been allowing O_WRONLY |
> > O_RDWR to succeed for almost 13 years now.
>
> Yeah, it's an old bug, but we should keep in mind that a file descriptor
> created with such flags cannot be used to read nor write. However,
> unfortunately, it can be used for things like ioctl, fstat, chdir… I
> don't know if there is any user of this trick.
>
> Either way, there is an inconsistency between those using ACC_MODE() and
> those using OPEN_FMODE(). If we decide to take a side for the behavior
> of one or the other, without denying to create such FD, it could also
> break security policies. We have to choose what to potentially break…
I'm not really liking the idea that the empty/0 f_mode field leads to
SELinux doing an ioctl access check as opposed to the expected
read|write check. Yes, other parts of the code catch the problem, but
this is bad from a SELinux perspective. Looking quickly at the other
LSMs, it would appear that other LSMs are affected as well.
If we're not going to fix file::f_mode, the LSMs probably need to
consider using file::f_flags directly in conjunction with a correct
OPEN_FMODE() macro (or better yet a small inline function that isn't
as ugly).
--
paul-moore.com
Powered by blists - more mailing lists