| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250603.be1ahteePh8z@digikod.net> Date: Tue, 3 Jun 2025 14:49:09 +0200 From: Mickaël Salaün <mic@...ikod.net> To: Jan Kara <jack@...e.cz> Cc: Song Liu <song@...nel.org>, Alexei Starovoitov <alexei.starovoitov@...il.com>, Al Viro <viro@...iv.linux.org.uk>, bpf <bpf@...r.kernel.org>, Linux-Fsdevel <linux-fsdevel@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, Kernel Team <kernel-team@...a.com>, Andrii Nakryiko <andrii@...nel.org>, Eduard <eddyz87@...il.com>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau <martin.lau@...ux.dev>, Christian Brauner <brauner@...nel.org>, KP Singh <kpsingh@...nel.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Amir Goldstein <amir73il@...il.com>, repnop@...gle.com, Jeff Layton <jlayton@...nel.org>, Josef Bacik <josef@...icpanda.com>, Günther Noack <gnoack@...gle.com>, Jann Horn <jannh@...gle.com> Subject: Re: [PATCH bpf-next 3/4] bpf: Introduce path iterator On Tue, Jun 03, 2025 at 11:46:22AM +0200, Jan Kara wrote: > On Fri 30-05-25 16:20:39, Mickaël Salaün wrote: > > On Thu, May 29, 2025 at 10:05:59AM -0700, Song Liu wrote: > > > On Thu, May 29, 2025 at 9:57 AM Alexei Starovoitov > > > <alexei.starovoitov@...il.com> wrote: > > > [...] > > > > > > > > > > How about we describe this as: > > > > > > > > > > Introduce a path iterator, which safely (no crash) walks a struct path. > > > > > Without malicious parallel modifications, the walk is guaranteed to > > > > > terminate. The sequence of dentries maybe surprising in presence > > > > > of parallel directory or mount tree modifications and the iteration may > > > > > not ever finish in face of parallel malicious directory tree manipulations. > > > > > > > > Hold on. If it's really the case then is the landlock susceptible > > > > to this type of attack already ? > > > > landlock may infinitely loop in the kernel ? > > > > > > I think this only happens if the attacker can modify the mount or > > > directory tree as fast as the walk, which is probably impossible > > > in reality. > > > > Yes, so this is not an infinite loop but an infinite race between the > > kernel and a very fast malicious user space process with an infinite > > number of available nested writable directories, that would also require > > a filesystem (and a kernel) supporting infinite pathname length. > > Well, you definitely don't need infinite pathname length. Example: > > Have a dir hierarchy like: > > A > / \ > B C > | > D > > Start iterating from A/B/D, you climb up to A/B. In parallel atacker does: > > mv A/B/ A/C/; mkdir A/B > > Now by following parent you get to A/C. In parallel attaker does: > > mv A/C/ A/B/; mkdir A/C > > And now you are essentially where you've started so this can repeat > forever. Yes, this is the scenario I had in mind talking about "infinite race" (instead of infinite loop). For this to work it will require the filesystem to support an infinite number of nested directories, but I'm not sure which FS could be eligible. Anyway, what would would be the threat model for this infinite race? > > As others wrote this particular timing might be hard enough to hit for it > to not be a practical attack but I would not bet much on somebody not being > able to invent some variant that works, in particular with BPF iterator. There might exist corner cases that could be an issue but would the impact be different than with other kinds of path walk? What could we do to avoid or limit such issue? > > Honza > -- > Jan Kara <jack@...e.com> > SUSE Labs, CR
Powered by blists - more mailing lists