| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Nov 2019 04:51:51 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Wenbo Zhang <ethercflow@...il.com>, bpf@...r.kernel.org,
ast@...nel.org.com, daniel@...earbox.net, yhs@...com,
andrii.nakryiko@...il.com, netdev@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH bpf-next v10 1/2] bpf: add new helper get_file_path for
mapping a file descriptor to a pathname
On Fri, Nov 22, 2019 at 07:18:28PM -0800, Alexei Starovoitov wrote:
> > + f = fget_raw(fd);
> > + if (!f)
> > + goto error;
> > +
> > + /* For unmountable pseudo filesystem, it seems to have no meaning
> > + * to get their fake paths as they don't have path, and to be no
> > + * way to validate this function pointer can be always safe to call
> > + * in the current context.
> > + */
> > + if (f->f_path.dentry->d_op && f->f_path.dentry->d_op->d_dname)
> > + return -EINVAL;
An obvious leak here, BTW.
Anyway, what could that be used for? I mean, if you want to check
something about syscall arguments, that's an unfixably racy way to go.
Descriptor table can be a shared data structure, and two consequent
fdget() on the same number can bloody well yield completely unrelated
struct file references.
IOW, anything that does descriptor -> struct file * translation more than
once is an instant TOCTOU suspect. In this particular case, the function
will produce a pathname of something that was once reachable via descriptor
with this number; quite possibly never before that function had been called
_and_ not once after it has returned.
Powered by blists - more mailing lists