lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <87cy5eqgn8.fsf@alyssa.is>
Date: Wed, 19 Nov 2025 14:46:35 +0100
From: Alyssa Ross <hi@...ssa.is>
To: linux-fsdevel@...r.kernel.org
Cc: Demi Marie Obenour <demiobenour@...il.com>, Aleksa Sarai
 <cyphar@...har.com>, Jann Horn <jannh@...gle.com>, "Eric W. Biederman"
 <ebiederm@...ssion.com>, jlayton@...nel.org, Bruce Fields
 <bfields@...ldses.org>, Al Viro <viro@...iv.linux.org.uk>, Arnd Bergmann
 <arnd@...db.de>, shuah@...nel.org, David Howells <dhowells@...hat.com>,
 Andy Lutomirski <luto@...nel.org>, Christian Brauner <brauner@...nel.org>,
 Tycho Andersen <tycho@...ho.pizza>, linux-kernel@...r.kernel.org,
 linux-api@...r.kernel.org
Subject: Safety of resolving untrusted paths with detached mount dirfd

Hello,

As we know, it's not safe to use chroot() for resolving untrusted paths
within some root, as a subdirectory could be moved outside of the
process root while walking the path[1].  On the other hand,
LOOKUP_BENEATH is supposed to be robust against this, and going by [2],
it sounds like resolving with the mount namespace root as dirfd should
also be.

My question is: would resolving an untrusted path against a detached
mount root dirfd opened with OPEN_TREE_CLONE (not necessarily a
filesystem root) also be expected to be robust against traversal issues?
i.e. can I rely on an untrusted path never resolving to a path that
isn't under the mount root?

[1]: https://lore.kernel.org/lkml/CAG48ez30WJhbsro2HOc_DR7V91M+hNFzBP5ogRMZaxbAORvqzg@mail.gmail.com/
[2]: https://lore.kernel.org/lkml/C89D720F-3CC4-4FA9-9CBB-E41A67360A6B@amacapital.net/

Download attachment "signature.asc" of type "application/pgp-signature" (228 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ