| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <vumjuw5ha6jtxtadsr5vwjtuneeqfg3vpydciczsn75qdg2ekv@464a4dxtxx27> Date: Tue, 3 Jun 2025 11:46:22 +0200 From: Jan Kara <jack@...e.cz> To: Mickaël Salaün <mic@...ikod.net> Cc: Song Liu <song@...nel.org>, Alexei Starovoitov <alexei.starovoitov@...il.com>, Jan Kara <jack@...e.cz>, Al Viro <viro@...iv.linux.org.uk>, bpf <bpf@...r.kernel.org>, Linux-Fsdevel <linux-fsdevel@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, Kernel Team <kernel-team@...a.com>, Andrii Nakryiko <andrii@...nel.org>, Eduard <eddyz87@...il.com>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau <martin.lau@...ux.dev>, Christian Brauner <brauner@...nel.org>, KP Singh <kpsingh@...nel.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Amir Goldstein <amir73il@...il.com>, repnop@...gle.com, Jeff Layton <jlayton@...nel.org>, Josef Bacik <josef@...icpanda.com>, Günther Noack <gnoack@...gle.com> Subject: Re: [PATCH bpf-next 3/4] bpf: Introduce path iterator On Fri 30-05-25 16:20:39, Mickaël Salaün wrote: > On Thu, May 29, 2025 at 10:05:59AM -0700, Song Liu wrote: > > On Thu, May 29, 2025 at 9:57 AM Alexei Starovoitov > > <alexei.starovoitov@...il.com> wrote: > > [...] > > > > > > > > How about we describe this as: > > > > > > > > Introduce a path iterator, which safely (no crash) walks a struct path. > > > > Without malicious parallel modifications, the walk is guaranteed to > > > > terminate. The sequence of dentries maybe surprising in presence > > > > of parallel directory or mount tree modifications and the iteration may > > > > not ever finish in face of parallel malicious directory tree manipulations. > > > > > > Hold on. If it's really the case then is the landlock susceptible > > > to this type of attack already ? > > > landlock may infinitely loop in the kernel ? > > > > I think this only happens if the attacker can modify the mount or > > directory tree as fast as the walk, which is probably impossible > > in reality. > > Yes, so this is not an infinite loop but an infinite race between the > kernel and a very fast malicious user space process with an infinite > number of available nested writable directories, that would also require > a filesystem (and a kernel) supporting infinite pathname length. Well, you definitely don't need infinite pathname length. Example: Have a dir hierarchy like: A / \ B C | D Start iterating from A/B/D, you climb up to A/B. In parallel atacker does: mv A/B/ A/C/; mkdir A/B Now by following parent you get to A/C. In parallel attaker does: mv A/C/ A/B/; mkdir A/C And now you are essentially where you've started so this can repeat forever. As others wrote this particular timing might be hard enough to hit for it to not be a practical attack but I would not bet much on somebody not being able to invent some variant that works, in particular with BPF iterator. Honza -- Jan Kara <jack@...e.com> SUSE Labs, CR
Powered by blists - more mailing lists