From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution Date: Mon, 25 Nov 2019 00:26:04 +0000 Message-ID: <20191125002604.GE4203@ZenIV.linux.org.uk> References: <20191117011713.13032-1-cyphar@cyphar.com> <20191117011713.13032-9-cyphar@cyphar.com> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <20191117011713.13032-9-cyphar@cyphar.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linuxppc-dev-bounces+glppe-linuxppc-embedded-2=m.gmane.org@lists.ozlabs.org Sender: "Linuxppc-dev" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Aleksa Sarai Cc: Song Liu , linux-ia64@vger.kernel.org, linux-doc@vger.kernel.org, Peter Zijlstra , Rasmus Villemoes , Alexei Starovoitov , linux-kernel@vger.kernel.org, David Howells , linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org, containers@lists.linux-foundation.org, Christian Brauner , linux-api@vger.kernel.org, Shuah Khan , linux-arch@vger.kernel.org, linux-s390@vger.kernel.org, Tycho Andersen , Daniel Borkmann , Jonathan Corbet , Jiri Olsa , linux-sh@vger.kernel.org, Alexander Shishkin , Ingo Molnar , linux-arm-kernel@lists.infradead.org, Yonghong Song , linux-mips@vger.kernel.o On Sun, Nov 17, 2019 at 12:17:08PM +1100, Aleksa Sarai wrote: > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) { > + /* > + * Do a final check to ensure that the path didn't escape. Note > + * that this should already be guaranteed by all of the other > + * LOOKUP_IS_SCOPED checks (and delaying this check this late > + * does open the door to some possible timing-based attacks). > + */ > + if (WARN_ON(!path_is_under(&nd->path, &nd->root))) > + return -EXDEV; I don't like that. What it gives is an ability to race that with rename(), with user-triggered WARN_ON. You *can't* promise that result of lookup is in a subtree, simply because it can get moved just as you've declared it to be in the clear. Anyone who relies upon that is delusional; it really can't be done. What warranties LOOKUP_IS_SCOPED is really supposed to provide? That we do not attempt to walk out of the subtree rooted at the start point? Fine, but this is not what this test does. What are you trying to achieve there? If it's "what we'd got was at one point in our subtree", the test is more or less right, but WARN_ON isn't. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9C3CC432C0 for ; Mon, 25 Nov 2019 00:30:40 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 635712071A for ; Mon, 25 Nov 2019 00:30:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 635712071A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47Lnxn6t1wzDqX0 for ; Mon, 25 Nov 2019 11:30:37 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=ftp.linux.org.uk (client-ip=195.92.253.2; helo=zeniv.linux.org.uk; envelope-from=viro@ftp.linux.org.uk; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=zeniv.linux.org.uk Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [195.92.253.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47Lnvb0PF4zDqWg for ; Mon, 25 Nov 2019 11:28:40 +1100 (AEDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1iZ2Ca-0003Ob-Hr; Mon, 25 Nov 2019 00:26:04 +0000 Date: Mon, 25 Nov 2019 00:26:04 +0000 From: Al Viro To: Aleksa Sarai Subject: Re: [PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution Message-ID: <20191125002604.GE4203@ZenIV.linux.org.uk> References: <20191117011713.13032-1-cyphar@cyphar.com> <20191117011713.13032-9-cyphar@cyphar.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191117011713.13032-9-cyphar@cyphar.com> User-Agent: Mutt/1.12.1 (2019-06-15) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Song Liu , linux-ia64@vger.kernel.org, linux-doc@vger.kernel.org, Peter Zijlstra , Rasmus Villemoes , Alexei Starovoitov , linux-kernel@vger.kernel.org, David Howells , linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org, containers@lists.linux-foundation.org, Christian Brauner , linux-api@vger.kernel.org, Shuah Khan , linux-arch@vger.kernel.org, linux-s390@vger.kernel.org, Tycho Andersen , Daniel Borkmann , Jonathan Corbet , Jiri Olsa , linux-sh@vger.kernel.org, Alexander Shishkin , Ingo Molnar , linux-arm-kernel@lists.infradead.org, Yonghong Song , linux-mips@vger.kernel.org, Andrii Nakryiko , bpf@vger.kernel.org, linux-xtensa@linux-xtensa.org, Kees Cook , Arnd Bergmann , Jann Horn , linuxppc-dev@lists.ozlabs.org, dev@opencontainers.org, linux-m68k@lists.linux-m68k.org, Andy Lutomirski , Shuah Khan , Namhyung Kim , David Drysdale , Christian Brauner , "J. Bruce Fields" , libc-alpha@sourceware.org, Aleksa Sarai , linux-parisc@vger.kernel.org, netdev@vger.kernel.org, Chanho Min , Jeff Layton , Oleg Nesterov , Eric Biederman , linux-alpha@vger.kernel.org, linux-fsdevel@vger.kernel.org, Andrew Morton , Linus Torvalds , Martin KaFai Lau Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Sun, Nov 17, 2019 at 12:17:08PM +1100, Aleksa Sarai wrote: > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) { > + /* > + * Do a final check to ensure that the path didn't escape. Note > + * that this should already be guaranteed by all of the other > + * LOOKUP_IS_SCOPED checks (and delaying this check this late > + * does open the door to some possible timing-based attacks). > + */ > + if (WARN_ON(!path_is_under(&nd->path, &nd->root))) > + return -EXDEV; I don't like that. What it gives is an ability to race that with rename(), with user-triggered WARN_ON. You *can't* promise that result of lookup is in a subtree, simply because it can get moved just as you've declared it to be in the clear. Anyone who relies upon that is delusional; it really can't be done. What warranties LOOKUP_IS_SCOPED is really supposed to provide? That we do not attempt to walk out of the subtree rooted at the start point? Fine, but this is not what this test does. What are you trying to achieve there? If it's "what we'd got was at one point in our subtree", the test is more or less right, but WARN_ON isn't.