lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <yti2dilasy7b3tu6iin5pugkn6oevdswrwoy6gorudb7x2cqhh@nqb3gcyxg4by>
Date: Thu, 29 May 2025 13:58:07 +0200
From: Jan Kara <jack@...e.cz>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Song Liu <song@...nel.org>, bpf@...r.kernel.org, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org, kernel-team@...a.com, andrii@...nel.org, eddyz87@...il.com, 
	ast@...nel.org, daniel@...earbox.net, martin.lau@...ux.dev, brauner@...nel.org, 
	jack@...e.cz, kpsingh@...nel.org, mattbobrowski@...gle.com, amir73il@...il.com, 
	repnop@...gle.com, jlayton@...nel.org, josef@...icpanda.com, mic@...ikod.net, 
	gnoack@...gle.com
Subject: Re: [PATCH bpf-next 3/4] bpf: Introduce path iterator

On Wed 28-05-25 23:37:24, Al Viro wrote:
> On Wed, May 28, 2025 at 03:26:22PM -0700, Song Liu wrote:
> > Introduce a path iterator, which reliably walk a struct path.
> 
> No, it does not.  If you have no external warranty that mount
> *and* dentry trees are stable, it's not reliable at all.

I agree that advertising this as "reliable walk" is misleading. It is
realiable in the sense that it will not dereference freed memory, leak
references etc. As you say it is also reliable in the sense that without
external modifications to dentry & mount tree, it will crawl the path to
root. But in presence of external modifications the only reliability it
offers is "it will not crash". E.g. malicious parallel modifications can
arbitrarily prolong the duration of the walk.

> And I'm extremely suspicious regarding the validity of anything
> that pokes around in mount trees.  There is a very good reason
> struct mount is *not* visible in include/linux/*.h

Well, but looking at the actual code I don't see anything problematic
there. It does not export any new functionality from the VFS AFAICT. It
just factors out some parent lookup details from Landlock into generic code
and exposes it as a helper to fetch parent dentry. But overall any kernel
module can do what's in the helper already today and exposing the
functionality of looking up dentry parent to BPF as well seems OK to me.

So I have only reservations against calling it "reliable walk". It should
rather come with warnings like "The sequence of dentries may be rather
surprising in presence of parallel directory or mount tree modifications
and the iteration need not ever finish in face of parallel malicious
directory tree manipulations."

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ