[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48ed81b9-0386-ba2c-b11a-1531d4f1e376@huaweicloud.com>
Date: Mon, 6 May 2024 11:12:31 +0800
From: Baokun Li <libaokun@...weicloud.com>
To: Jingbo Xu <jefflexu@...ux.alibaba.com>, netfs@...ts.linux.dev
Cc: dhowells@...hat.com, jlayton@...nel.org, zhujia.zj@...edance.com,
linux-erofs@...ts.ozlabs.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, libaokun@...weicloud.com,
yangerkun <yangerkun@...wei.com>
Subject: Re: [PATCH 06/12] cachefiles: add consistency check for copen/cread
Hi Jingbo,
Thank you very much for the review!
On 2024/5/6 10:31, Jingbo Xu wrote:
> Hi Baokun,
>
> Thanks for improving on this!
>
> On 4/24/24 11:39 AM, libaokun@...weicloud.com wrote:
>> From: Baokun Li <libaokun1@...wei.com>
>>
>> This prevents malicious processes from completing random copen/cread
>> requests and crashing the system. Added checks are listed below:
>>
>> * Generic, copen can only complete open requests, and cread can only
>> complete read requests.
>> * For copen, ondemand_id must not be 0, because this indicates that the
>> request has not been read by the daemon.
>> * For cread, the object corresponding to fd and req should be the same.
>>
>> Signed-off-by: Baokun Li <libaokun1@...wei.com>
>> ---
>> fs/cachefiles/ondemand.c | 27 ++++++++++++++++++++-------
>> 1 file changed, 20 insertions(+), 7 deletions(-)
>>
>> diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c
>> index bb94ef6a6f61..898fab68332b 100644
>> --- a/fs/cachefiles/ondemand.c
>> +++ b/fs/cachefiles/ondemand.c
>> @@ -82,12 +82,12 @@ static loff_t cachefiles_ondemand_fd_llseek(struct file *filp, loff_t pos,
>> }
>>
>> static long cachefiles_ondemand_fd_ioctl(struct file *filp, unsigned int ioctl,
>> - unsigned long arg)
>> + unsigned long id)
>> {
>> struct cachefiles_object *object = filp->private_data;
>> struct cachefiles_cache *cache = object->volume->cache;
>> struct cachefiles_req *req;
>> - unsigned long id;
>> + XA_STATE(xas, &cache->reqs, id);
>>
>> if (ioctl != CACHEFILES_IOC_READ_COMPLETE)
>> return -EINVAL;
>> @@ -95,10 +95,15 @@ static long cachefiles_ondemand_fd_ioctl(struct file *filp, unsigned int ioctl,
>> if (!test_bit(CACHEFILES_ONDEMAND_MODE, &cache->flags))
>> return -EOPNOTSUPP;
>>
>> - id = arg;
>> - req = xa_erase(&cache->reqs, id);
>> - if (!req)
>> + xa_lock(&cache->reqs);
>> + req = xas_load(&xas);
>> + if (!req || req->msg.opcode != CACHEFILES_OP_READ ||
>> + req->object != object) {
>> + xa_unlock(&cache->reqs);
>> return -EINVAL;
>> + }
>> + xas_store(&xas, NULL);
>> + xa_unlock(&cache->reqs);
>>
>> trace_cachefiles_ondemand_cread(object, id);
>> complete(&req->done);
>> @@ -126,6 +131,7 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args)
>> unsigned long id;
>> long size;
>> int ret;
>> + XA_STATE(xas, &cache->reqs, 0);
>>
>> if (!test_bit(CACHEFILES_ONDEMAND_MODE, &cache->flags))
>> return -EOPNOTSUPP;
>> @@ -149,9 +155,16 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args)
>> if (ret)
>> return ret;
>>
>> - req = xa_erase(&cache->reqs, id);
>> - if (!req)
>> + xa_lock(&cache->reqs);
>> + xas.xa_index = id;
>> + req = xas_load(&xas);
>> + if (!req || req->msg.opcode != CACHEFILES_OP_OPEN ||
>> + !req->object->ondemand->ondemand_id) {
>> + xa_unlock(&cache->reqs);
>> return -EINVAL;
>> + }
>> + xas_store(&xas, NULL);
>> + xa_unlock(&cache->reqs);
>>
>> /* fail OPEN request if copen format is invalid */
>> ret = kstrtol(psize, 0, &size);
> The code looks good to me, but I still have some questions.
>
> First, what's the worst consequence if the daemon misbehaves like
> completing random copen/cread requests? I mean, does that affect other
> processes on the system besides the direct users of the ondemand mode,
> e.g. will the misbehavior cause system crash?
This can lead to system crashes, which can lead to a lot of problems.
For example, on reopen, to finish the read request, we might UAF in
ondemand_object_worker();
Or we might UAF in cachefiles_ondemand_daemon_read() when we
haven't added reference counts to the req yet.
Even though these issues are completely resolved in other ways,
I think some basic consistency checks are still necessary.
>
> Besides, it seems that the above security improvement is only "best
> effort". It can not completely prevent a malicious misbehaved daemon
> from completing random copen/cread requests, right?
>
Yes, this doesn't solve the problem completely, we still can't
distinguish between the following cases:
1) different read reqs of the same object reusing the req id.
2) open reqs of different objects.
Ideally, we would calculate a checksum from
timestamps + struct cachefiles_msg to check if the requests
are consistent, but this breaks the uapi.
Thanks,
Baokun
Powered by blists - more mailing lists