lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 18 Jun 2020 08:19:59 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Kees Cook' <keescook@...omium.org>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "Sargun Dhillon" <sargun@...gun.me>,
        Christian Brauner <christian@...uner.io>,
        "David S. Miller" <davem@...emloft.net>,
        Christoph Hellwig <hch@....de>,
        "Tycho Andersen" <tycho@...ho.ws>,
        Jakub Kicinski <kuba@...nel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Aleksa Sarai <cyphar@...har.com>,
        Matt Denton <mpdenton@...gle.com>,
        Jann Horn <jannh@...gle.com>, Chris Palmer <palmer@...gle.com>,
        Robert Sesek <rsesek@...gle.com>,
        Giuseppe Scrivano <gscrivan@...hat.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Andy Lutomirski" <luto@...capital.net>,
        Will Drewry <wad@...omium.org>, Shuah Khan <shuah@...nel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "containers@...ts.linux-foundation.org" 
        <containers@...ts.linux-foundation.org>,
        "linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>
Subject: RE: [PATCH v4 03/11] fs: Add fd_install_received() wrapper for
 __fd_install_received()

From: Kees Cook
> Sent: 17 June 2020 20:58
> On Wed, Jun 17, 2020 at 03:35:20PM +0000, David Laight wrote:
> > From: Kees Cook
> > > Sent: 16 June 2020 04:25
> > >
> > > For both pidfd and seccomp, the __user pointer is not used. Update
> > > __fd_install_received() to make writing to ufd optional. (ufd
> > > itself cannot checked for NULL because this changes the SCM_RIGHTS
> > > interface behavior.) In these cases, the new fd needs to be returned
> > > on success.  Update the existing callers to handle it. Add new wrapper
> > > fd_install_received() for pidfd and seccomp that does not use the ufd
> > > argument.
> > ...>
> > >  static inline int fd_install_received_user(struct file *file, int __user *ufd,
> > >  					   unsigned int o_flags)
> > >  {
> > > -	return __fd_install_received(file, ufd, o_flags);
> > > +	return __fd_install_received(file, true, ufd, o_flags);
> > > +}
> >
> > Can you get rid of the 'return user' parameter by adding
> > 	if (!ufd) return -EFAULT;
> > to the above wrapper, then checking for NULL in the function?
> >
> > Or does that do the wrong horrid things in the fail path?
> 
> Oh, hm. No, that shouldn't break the failure path, since everything gets
> unwound in __fd_install_received if the ufd write fails.
> 
> Effectively this (I'll chop it up into the correct patches):

Yep, that's what i was thinking...

Personally I'm not sure that it matters whether the file is left
attached to a process fd when the copy_to_user() fails.
The kernel data structures are consistent either way.
So sane code relies on catching SIGSEGV, fixing thigs up,
and carrying on.
(IIRC the original /bin/sh code called sbrk() in its SIGSEGV
handler instead of doing the limit check in malloc()!)

The important error path is 'failing to get an fd number'.
In that case the caller needs to keep the 'file *' or close it.

I've not looked at the code, but I wonder if you need to pass
the 'file *' by reference so that you can consume it (write NULL)
and return an error.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists