Re: [PATCH v3 1/1] ovl: setxattr: don't deadlock when called from ima_fix_xattr.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Krisztian Litkey <kli@iki.fi>,
	linux-unionfs@vger.kernel.org,
	Krisztian Litkey <krisztian.litkey@intel.com>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 1/1] ovl: setxattr: don't deadlock when called from ima_fix_xattr.
Date: Fri, 20 May 2016 17:29:37 +0100	[thread overview]
Message-ID: <20160520162937.GU14480@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1463754087.2763.17.camel@linux.vnet.ibm.com>

On Fri, May 20, 2016 at 10:21:27AM -0400, Mimi Zohar wrote:
> > +	if (mutex_is_locked(&upper->d_inode->i_mutex))
> > +		err = __vfs_setxattr_noperm(upper, name, value, size, flags);
> 
> As far as I'm aware, the only time that i_mutex is taken, is during
> __fput() when IMA writes security.ima.   Previous versions of this patch
> checked whether the xattr being written was security.ima.  It would
> probably be a good idea not to make that assumption here.   The question
> is what should happen if the i_mutex is locked, but the xattr isn't
> security.ima.  At minimum it should be audited.  Al, any comments?

ITYM "printable", and that's somewhat harder.  OK, let me try:

Anybody using ..._is_lock() kind of primitives that way ought to be
(re)educated before they are allowed near any kind of multithreaded
code _anywhere_.  mutex could've been held by a different thread of
execution and dropped just as mutex_is_locked() returns.  Or at any
subsequent point.  This is 100% bogus; one should *never* write that kind
of code.  As in "here's your well-earned F-, better luck next semester".

I haven't seen the full patch (you've quoted only a part of that gem), but
about the only way for it to be correct is to have it continue with
+ else
+       err = <identical call>

	Practically all calls of mutex_is_locked() are of form
WARN_ON(!mutex_is_locked(...)) or equivalent thereof.  And the rest contains
similar... wonders - for example, take a look at drivers/media/rc/imon.c;
imon_ir_change_protocol() has this
        if (!mutex_is_locked(&ictx->lock)) {
                unlock = true;
                mutex_lock(&ictx->lock);
        }

        retval = send_packet(ictx);
        if (retval)
                goto out;

        ictx->rc_type = *rc_type;
        ictx->pad_mouse = false;

out:
        if (unlock)
                mutex_unlock(&ictx->lock);
Finding why it's exploitably racy is left as a trivial exercise for readers...

Folks, if you see something of that sort in the code, it's a huge red flag.
There are legitimate uses of mutex_is_locked other than asserts, but those
are extremely rare.

I would need to see more context to be able to comment on the problem in
question, but this patch is almost certainly broken.

next prev parent reply	other threads:[~2016-05-20 16:29 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-15 18:52 [PATCH 1/1] ovl: setxattr: avoid deadlock when writing IMA xattrs Mimi Zohar
2016-05-15 20:07 ` [PATCH v2 1/1] ovl: setxattr: avoid deadlock when setting IMA xattr Krisztian Litkey
     [not found]   ` <201605161420.u4GEKLHk009316@d03av05.boulder.ibm.com>
2016-05-16 15:13     ` Krisztian Litkey
2016-05-16 20:22       ` Krisztian Litkey
2016-05-18 22:45         ` Mimi Zohar
2016-05-20  6:28           ` [PATCH v3 1/1] ovl: setxattr: don't deadlock when called from ima_fix_xattr Krisztian Litkey
2016-05-20 14:21             ` Mimi Zohar
2016-05-20 16:29               ` Al Viro [this message]
2016-05-20 17:00                 ` Mimi Zohar
2016-05-20 20:53                   ` Krisztian Litkey
2016-05-30 14:10                     ` Miklos Szeredi
2016-05-30 16:50                       ` Al Viro
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-20 15:18             ` Andy Whitcroft

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160520162937.GU14480@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=kli@iki.fi \
    --cc=krisztian.litkey@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.