From: Kees Cook <kees@kernel.org>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
cve@kernel.org, linux-kernel@vger.kernel.org,
"Günther Noack" <gnoack@google.com>,
linux-security-module@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: CVE-2024-40938: landlock: Fix d_parent walk
Date: Mon, 15 Jul 2024 09:11:35 -0700 [thread overview]
Message-ID: <202407150908.34E00AAD1@keescook> (raw)
In-Reply-To: <20240715.Eishohd0ehoo@digikod.net>
On Mon, Jul 15, 2024 at 02:20:59PM +0200, Mickaël Salaün wrote:
> On Mon, Jul 15, 2024 at 01:16:38PM +0200, Greg Kroah-Hartman wrote:
> > On Mon, Jul 15, 2024 at 12:37:53PM +0200, Mickaël Salaün wrote:
> > > Hello,
> > >
> > > AFAIK, commit 88da52ccd66e ("landlock: Fix d_parent walk") doesn't fix a
> > > security issue but an unexpected case. The triggered WARN_ON_ONCE() is
> > > just a canary, and this case was correctly handled with defensive
> > > programming and didn't allow to bypass the security policy nor to harm
> > > the kernel. However, this fix should indeed be backported.
> >
> > If a WARN_ON() is hit, a machine with panic_on_warn enabled will reboot,
> > hence if there is any way that userspace can hit this, it needs to be
> > issued a CVE, sorry.
>
> OK, I didn't know about this panic_on_warn rule for CVE. Out of
> curiosity, panic_on_warn is definitely useful for fuzzing and testing,
> but what is the rational to enable panic_on_warn on production systems?
> It literally transforms a warning message into a system DoS (i.e.
> WARN_ON into BUG_ON). We should explicitly use BUG_ON() if this is a
> critical unhandled case, right?
We need a way to raise WARN to panic for deployments that have tested
their workloads and want FORTIFY_SOURCE and UBSAN_BOUNDS to actually
perform mitigations instead of just warning. Linus rejected all prior
knobs for this and panic_on_warn (or better yet, kernel.warn_limit
syscall) is used for this purpose.
Userspace actions must never be able to reach a WARN or BUG state:
https://docs.kernel.org/process/deprecated.html#bug-and-bug-on
--
Kees Cook
next prev parent reply other threads:[~2024-07-15 16:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-12 12:27 CVE-2024-40938: landlock: Fix d_parent walk Greg Kroah-Hartman
2024-07-15 10:37 ` Mickaël Salaün
2024-07-15 11:16 ` Greg Kroah-Hartman
2024-07-15 12:20 ` Mickaël Salaün
2024-07-15 12:39 ` Greg Kroah-Hartman
2024-07-15 16:11 ` Kees Cook [this message]
2024-07-15 18:04 ` Mickaël Salaün
2024-07-15 20:17 ` Kees Cook
2024-07-16 7:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202407150908.34E00AAD1@keescook \
--to=kees@kernel.org \
--cc=cve@kernel.org \
--cc=gnoack@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.