From: Kees Cook <keescook@chromium.org>
To: Sargun Dhillon <sargun@sargun.me>
Cc: linux-kernel@vger.kernel.org,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Laight <David.Laight@ACULAB.COM>,
Christoph Hellwig <hch@lst.de>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Aleksa Sarai <cyphar@cyphar.com>,
Matt Denton <mpdenton@google.com>, Jann Horn <jannh@google.com>,
Chris Palmer <palmer@google.com>,
Robert Sesek <rsesek@google.com>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>, Shuah Khan <shuah@kernel.org>,
netdev@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v5 3/7] fs: Add fd_install_received() wrapper for __fd_install_received()
Date: Thu, 18 Jun 2020 13:13:03 -0700 [thread overview]
Message-ID: <202006181305.01F1B08@keescook> (raw)
In-Reply-To: <20200618054918.GB18669@ircssh-2.c.rugged-nimbus-611.internal>
On Thu, Jun 18, 2020 at 05:49:19AM +0000, Sargun Dhillon wrote:
> On Wed, Jun 17, 2020 at 03:03:23PM -0700, Kees Cook wrote:
> > [...]
> > static inline int fd_install_received_user(struct file *file, int __user *ufd,
> > unsigned int o_flags)
> > {
> > + if (ufd == NULL)
> > + return -EFAULT;
> Isn't this *technically* a behvaiour change? Nonetheless, I think this is a much better
> approach than forcing everyone to do null checking, and avoids at least one error case
> where the kernel installs FDs for SCM_RIGHTS, and they're not actualy usable.
So, the only behavior change I see is that the order of sanity checks is
changed.
The loop in scm_detach_fds() is:
for (i = 0; i < fdmax; i++) {
err = __scm_install_fd(scm->fp->fp[i], cmsg_data + i, o_flags);
if (err < 0)
break;
}
Before, __scm_install_fd() does:
error = security_file_receive(file);
if (error)
return error;
new_fd = get_unused_fd_flags(o_flags);
if (new_fd < 0)
return new_fd;
error = put_user(new_fd, ufd);
if (error) {
put_unused_fd(new_fd);
return error;
}
...
After, fd_install_received_user() and __fd_install_received() does:
if (ufd == NULL)
return -EFAULT;
...
error = security_file_receive(file);
if (error)
return error;
...
new_fd = get_unused_fd_flags(o_flags);
if (new_fd < 0)
return new_fd;
...
error = put_user(new_fd, ufd);
if (error) {
put_unused_fd(new_fd);
return error;
}
i.e. if a caller attempts a receive that is rejected by LSM *and*
includes a NULL userpointer destination, they will get an EFAULT now
instead of an EPERM.
I struggle to imagine a situation where this could possible matter
(both fail, neither installs files). It is only the error code that
is different. I am comfortable making this change and seeing if anyone
screams. If they do, I can restore the v4 "ufd_required" way of doing it.
> Reviewed-by: Sargun Dhillon <sargun@sargun.me>
Thanks!
--
Kees Cook
next prev parent reply other threads:[~2020-06-18 20:13 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 22:03 [PATCH v5 0/7] Add seccomp notifier ioctl that enables adding fds Kees Cook
2020-06-17 22:03 ` [PATCH v5 1/7] net/scm: Regularize compat handling of scm_detach_fds() Kees Cook
2020-06-17 22:03 ` [PATCH v5 2/7] fs: Move __scm_install_fd() to __fd_install_received() Kees Cook
2020-06-17 22:03 ` [PATCH v5 3/7] fs: Add fd_install_received() wrapper for __fd_install_received() Kees Cook
2020-06-18 5:49 ` Sargun Dhillon
2020-06-18 20:13 ` Kees Cook [this message]
2020-06-19 8:20 ` David Laight
2020-06-17 22:03 ` [PATCH v5 4/7] pidfd: Replace open-coded partial fd_install_received() Kees Cook
2020-07-06 13:07 ` Christian Brauner
2020-07-06 15:34 ` Kees Cook
2020-07-06 16:12 ` Christian Brauner
2020-07-06 16:38 ` Christian Brauner
2020-07-06 19:30 ` Kees Cook
2020-06-17 22:03 ` [PATCH v5 5/7] fs: Expand __fd_install_received() to accept fd Kees Cook
2020-06-17 22:03 ` [PATCH v5 6/7] seccomp: Introduce addfd ioctl to seccomp user notifier Kees Cook
2020-06-17 22:03 ` [PATCH v5 7/7] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202006181305.01F1B08@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@ACULAB.COM \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=kuba@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mpdenton@google.com \
--cc=netdev@vger.kernel.org \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.