lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251119183447.7185b739@pumpkin>
Date: Wed, 19 Nov 2025 18:34:47 +0000
From: David Laight <david.laight.linux@...il.com>
To: Alyssa Ross <hi@...ssa.is>
Cc: linux-fsdevel@...r.kernel.org, Demi Marie Obenour
 <demiobenour@...il.com>, Aleksa Sarai <cyphar@...har.com>, Jann Horn
 <jannh@...gle.com>, "Eric W. Biederman" <ebiederm@...ssion.com>,
 jlayton@...nel.org, Bruce Fields <bfields@...ldses.org>, Al Viro
 <viro@...iv.linux.org.uk>, Arnd Bergmann <arnd@...db.de>, shuah@...nel.org,
 David Howells <dhowells@...hat.com>, Andy Lutomirski <luto@...nel.org>,
 Christian Brauner <brauner@...nel.org>, Tycho Andersen <tycho@...ho.pizza>,
 linux-kernel@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: Safety of resolving untrusted paths with detached mount dirfd

On Wed, 19 Nov 2025 14:46:35 +0100
Alyssa Ross <hi@...ssa.is> wrote:

> Hello,
> 
> As we know, it's not safe to use chroot() for resolving untrusted paths
> within some root, as a subdirectory could be moved outside of the
> process root while walking the path[1].  On the other hand,
> LOOKUP_BENEATH is supposed to be robust against this, and going by [2],
> it sounds like resolving with the mount namespace root as dirfd should
> also be.
> 
> My question is: would resolving an untrusted path against a detached
> mount root dirfd opened with OPEN_TREE_CLONE (not necessarily a
> filesystem root) also be expected to be robust against traversal issues?
> i.e. can I rely on an untrusted path never resolving to a path that
> isn't under the mount root?
> 
> [1]: https://lore.kernel.org/lkml/CAG48ez30WJhbsro2HOc_DR7V91M+hNFzBP5ogRMZaxbAORvqzg@mail.gmail.com/
> [2]: https://lore.kernel.org/lkml/C89D720F-3CC4-4FA9-9CBB-E41A67360A6B@amacapital.net/

May not be directly relevant, but I found 'pwd' giving the wrong answer
when done inside a chroot (that isn't a filesytem mount point) after
'faffing' [1] with network namespaces.

The basic problem was that two kernel 'inode' structures end up referencing
the base of the chroot - so the pointer equality test fails.

So you could find the path of the chroot without any help from outside. 

[1] Brain thinks it might have been an 'unshare' to leave a network namespace
that cause the problem.

	David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ