lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 9 Mar 2022 16:36:04 -0800
From:   John Johansen <john.johansen@...onical.com>
To:     Paul Moore <paul@...l-moore.com>,
        Mickaël Salaün <mic@...ikod.net>,
        Al Viro <viro@...iv.linux.org.uk>
Cc:     Christian Brauner <brauner@...nel.org>,
        "Darrick J . Wong" <djwong@...nel.org>,
        Eric Paris <eparis@...isplace.org>,
        James Morris <jmorris@...ei.org>,
        Kentaro Takeda <takedakn@...data.co.jp>,
        Miklos Szeredi <miklos@...redi.hu>,
        "Serge E . Hallyn" <serge@...lyn.com>,
        Stephen Smalley <stephen.smalley.work@...il.com>,
        Steve French <sfrench@...ba.org>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Mickaël Salaün <mic@...ux.microsoft.com>,
        selinux@...r.kernel.org, Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [PATCH v1] fs: Fix inconsistent f_mode

On 3/9/22 13:31, Paul Moore wrote:
> On Tue, Mar 1, 2022 at 5:15 AM Mickaël Salaün <mic@...ikod.net> wrote:
>> On 01/03/2022 10:22, Christian Brauner wrote:
>>> On Mon, Feb 28, 2022 at 10:59:35PM +0100, Mickaël Salaün wrote:
>>>> From: Mickaël Salaün <mic@...ux.microsoft.com>
>>>>
>>>> While transitionning to ACC_MODE() with commit 5300990c0370 ("Sanitize
>>>> f_flags helpers") and then fixing it with commit 6d125529c6cb ("Fix
>>>> ACC_MODE() for real"), we lost an open flags consistency check.  Opening
>>>> a file with O_WRONLY | O_RDWR leads to an f_flags containing MAY_READ |
>>>> MAY_WRITE (thanks to the ACC_MODE() helper) and an empty f_mode.
>>>> Indeed, the OPEN_FMODE() helper transforms 3 (an incorrect value) to 0.
>>>>
>>>> Fortunately, vfs_read() and vfs_write() both check for FMODE_READ, or
>>>> respectively FMODE_WRITE, and return an EBADF error if it is absent.
>>>> Before commit 5300990c0370 ("Sanitize f_flags helpers"), opening a file
>>>> with O_WRONLY | O_RDWR returned an EINVAL error.  Let's restore this safe
>>>> behavior.
>>>
>>> That specific part seems a bit risky at first glance. Given that the
>>> patch referenced is from 2009 this means we've been allowing O_WRONLY |
>>> O_RDWR to succeed for almost 13 years now.
>>
>> Yeah, it's an old bug, but we should keep in mind that a file descriptor
>> created with such flags cannot be used to read nor write. However,
>> unfortunately, it can be used for things like ioctl, fstat, chdir… I
>> don't know if there is any user of this trick.
>>
>> Either way, there is an inconsistency between those using ACC_MODE() and
>> those using OPEN_FMODE(). If we decide to take a side for the behavior
>> of one or the other, without denying to create such FD, it could also
>> break security policies. We have to choose what to potentially break…
> 
> I'm not really liking the idea that the empty/0 f_mode field leads to
> SELinux doing an ioctl access check as opposed to the expected
> read|write check.  Yes, other parts of the code catch the problem, but
> this is bad from a SELinux perspective.  Looking quickly at the other
> LSMs, it would appear that other LSMs are affected as well.
> 
> If we're not going to fix file::f_mode, the LSMs probably need to
> consider using file::f_flags directly in conjunction with a correct
> OPEN_FMODE() macro (or better yet a small inline function that isn't
> as ugly).
> 
yeah, I have to agree

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ