lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZAD2gEQA6edzMJvl@ZenIV>
Date:   Thu, 2 Mar 2023 19:18:24 +0000
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Mateusz Guzik <mjguzik@...il.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Christian Brauner <brauner@...nel.org>, serge@...lyn.com,
        paul@...l-moore.com, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v3 2/2] vfs: avoid duplicating creds in faccessat if
 possible

On Thu, Mar 02, 2023 at 07:02:10PM +0000, Al Viro wrote:
> On Thu, Mar 02, 2023 at 06:43:39PM +0000, Al Viro wrote:
> > On Thu, Mar 02, 2023 at 07:22:17PM +0100, Mateusz Guzik wrote:
> > 
> > > Ops, I meant "names_cache", here:
> > > 	names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0,
> > > 			SLAB_HWCACHE_ALIGN|SLAB_PANIC, 0, PATH_MAX, NULL);
> > > 
> > > it is fs/dcache.c and I brainfarted into the above.
> > 
> > So you mean __getname() stuff?
> 
> The thing is, getname_flags()/getname_kernel() is not the only user of that
> thing; grep and you'll see (and keep in mind that cifs alloc_dentry_path()
> is a __getname() wrapper, with its own callers).  We might have bugs papered
> over^W^Whardened away^W^Wpapered over in some of those users.
> 
> I agree that getname_flags()/getname_kernel()/sys_getcwd() have no need of
> pre-zeroing; fw_get_filesystem_firmware(), ceph_mdsc_build_path(),
> [hostfs]dentry_name() and ima_d_path() seem to be safe.  So's
> vboxsf_path_from_dentry() (I think).  But with this bunch I'd need
> a review before I'd be willing to say "this security theatre buys us
> nothing here":

[snip the list]

PS: ripping this bandaid off might very well be the right thing to do, it's just
that "I'm confident there is 0 hardening benefit for it" needs a code review
is some moderately grotty places.  It's not too awful (e.g. in case of cifs
most of the callers are immediately followed by build_path_from_dentry(), which
stores the pathname in the end of page and returns the pointer to beginning
of initialized part; verifying that after that allocation + build_path we
only access the parts past the returned pointer until it's time to free the
buffer is not hard), but it's worth doing.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ