From: Al Viro <viro@zeniv.linux.org.uk>
To: Jan Kara <jack@suse.cz>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>,
"Christian Brauner" <brauner@kernel.org>,
"Sargun Dhillon" <sargun@sargun.me>,
"Kees Cook" <kees@kernel.org>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] fs: correctly check for errors from replace_fd() in receive_fd_replace()
Date: Fri, 1 Aug 2025 23:02:15 +0100 [thread overview]
Message-ID: <20250801220215.GS222315@ZenIV> (raw)
In-Reply-To: <fq2s55tc5hhvh4dfjdzek4neozffmn36rwdlsrsxxjqzts2f4c@j67nruhocdiz>
On Fri, Aug 01, 2025 at 12:48:09PM +0200, Jan Kara wrote:
> On Fri 01-08-25 09:38:38, Thomas Weißschuh wrote:
> > replace_fd() returns either a negative error number or the number of the
> > new file descriptor. The current code misinterprets any positive file
> > descriptor number as an error.
> >
> > Only check for negative error numbers, so that __receive_sock() is called
> > correctly for valid file descriptors.
> >
> > Fixes: 173817151b15 ("fs: Expand __receive_fd() to accept existing fd")
> > Fixes: 42eb0d54c08a ("fs: split receive_fd_replace from __receive_fd")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
>
> Indeed. I'm wondering how come nobody noticed...
One word: seccomp. Considering the background amount of bogus userland
behaviour coming with it, I wouldn't expect a... vigorous test coverage
for that one ;-/
It's definitely a bug that needs fixing, but I'm not sure this is the right
way to fix it.
Look: replace_fd(fd, file, flags) returns fd on success and -E... on failure.
Not a single user cares which non-negative value had been returned. What's
more, "returns fd on success" is a side effect of using do_dup2() and
being lazy about it.
And the entire thing is not on any hot paths. So I suspect that a better fix
would be
err = do_dup2(files, file, fd, flags);
if (err < 0)
return err;
return 0;
in replace_fd() in place of
return do_dup2(files, file, fd, flags);
so we don't invite more surprises like that.
next prev parent reply other threads:[~2025-08-01 22:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-01 7:38 [PATCH] fs: correctly check for errors from replace_fd() in receive_fd_replace() Thomas Weißschuh
2025-08-01 10:48 ` Jan Kara
2025-08-01 22:02 ` Al Viro [this message]
2025-08-04 8:38 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250801220215.GS222315@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sargun@sargun.me \
--cc=stable@vger.kernel.org \
--cc=thomas.weissschuh@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.