From: Al Viro <viro@zeniv.linux.org.uk>
To: Mateusz Guzik <mjguzik@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
serge@hallyn.com, paul@paul-moore.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v3 2/2] vfs: avoid duplicating creds in faccessat if possible
Date: Thu, 2 Mar 2023 19:18:24 +0000 [thread overview]
Message-ID: <ZAD2gEQA6edzMJvl@ZenIV> (raw)
In-Reply-To: <ZADysodnEPRqhKqc@ZenIV>
On Thu, Mar 02, 2023 at 07:02:10PM +0000, Al Viro wrote:
> On Thu, Mar 02, 2023 at 06:43:39PM +0000, Al Viro wrote:
> > On Thu, Mar 02, 2023 at 07:22:17PM +0100, Mateusz Guzik wrote:
> >
> > > Ops, I meant "names_cache", here:
> > > names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0,
> > > SLAB_HWCACHE_ALIGN|SLAB_PANIC, 0, PATH_MAX, NULL);
> > >
> > > it is fs/dcache.c and I brainfarted into the above.
> >
> > So you mean __getname() stuff?
>
> The thing is, getname_flags()/getname_kernel() is not the only user of that
> thing; grep and you'll see (and keep in mind that cifs alloc_dentry_path()
> is a __getname() wrapper, with its own callers). We might have bugs papered
> over^W^Whardened away^W^Wpapered over in some of those users.
>
> I agree that getname_flags()/getname_kernel()/sys_getcwd() have no need of
> pre-zeroing; fw_get_filesystem_firmware(), ceph_mdsc_build_path(),
> [hostfs]dentry_name() and ima_d_path() seem to be safe. So's
> vboxsf_path_from_dentry() (I think). But with this bunch I'd need
> a review before I'd be willing to say "this security theatre buys us
> nothing here":
[snip the list]
PS: ripping this bandaid off might very well be the right thing to do, it's just
that "I'm confident there is 0 hardening benefit for it" needs a code review
is some moderately grotty places. It's not too awful (e.g. in case of cifs
most of the callers are immediately followed by build_path_from_dentry(), which
stores the pathname in the end of page and returns the pointer to beginning
of initialized part; verifying that after that allocation + build_path we
only access the parts past the returned pointer until it's time to free the
buffer is not hard), but it's worth doing.
next prev parent reply other threads:[~2023-03-02 19:18 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 15:55 [PATCH v3 1/2] capability: add cap_isidentical Mateusz Guzik
2023-01-25 15:55 ` [PATCH v3 2/2] vfs: avoid duplicating creds in faccessat if possible Mateusz Guzik
2023-02-28 0:44 ` Linus Torvalds
2023-03-02 8:30 ` Christian Brauner
2023-03-02 17:51 ` Linus Torvalds
2023-03-02 18:14 ` Mateusz Guzik
2023-03-02 18:18 ` Al Viro
2023-03-02 18:22 ` Mateusz Guzik
2023-03-02 18:43 ` Al Viro
2023-03-02 18:51 ` Mateusz Guzik
2023-03-02 19:02 ` Al Viro
2023-03-02 19:18 ` Al Viro [this message]
2023-03-02 19:03 ` Linus Torvalds
2023-03-02 19:10 ` Linus Torvalds
2023-03-02 19:19 ` Al Viro
2023-03-02 19:54 ` Kees Cook
2023-03-02 20:11 ` Al Viro
2023-03-03 15:30 ` Alexander Potapenko
2023-03-03 17:39 ` Mateusz Guzik
2023-03-03 17:54 ` Linus Torvalds
2023-03-03 19:37 ` Mateusz Guzik
2023-03-03 19:38 ` Mateusz Guzik
2023-03-03 20:08 ` Linus Torvalds
2023-03-03 20:39 ` Mateusz Guzik
2023-03-03 20:58 ` Linus Torvalds
2023-03-03 21:09 ` Mateusz Guzik
2023-03-04 19:01 ` Mateusz Guzik
2023-03-04 20:31 ` Mateusz Guzik
2023-03-04 20:48 ` Linus Torvalds
2023-03-05 17:23 ` David Laight
2023-03-04 1:29 ` Linus Torvalds
2023-03-04 3:25 ` Yury Norov
2023-03-04 3:42 ` Linus Torvalds
2023-03-04 5:51 ` Yury Norov
2023-03-04 16:41 ` David Vernet
2023-03-04 19:02 ` Linus Torvalds
2023-03-04 19:19 ` Linus Torvalds
2023-03-04 20:34 ` Linus Torvalds
2023-03-04 20:51 ` Yury Norov
2023-03-04 21:01 ` Linus Torvalds
2023-03-04 21:03 ` Linus Torvalds
2023-03-04 21:10 ` Linus Torvalds
2023-03-04 23:08 ` Linus Torvalds
2023-03-04 23:52 ` Linus Torvalds
2023-03-05 9:26 ` Sedat Dilek
2023-03-05 18:17 ` Linus Torvalds
2023-03-05 18:43 ` Linus Torvalds
2023-03-06 5:43 ` Yury Norov
2023-03-04 20:18 ` Al Viro
2023-03-04 20:42 ` Mateusz Guzik
2023-03-02 19:38 ` Kees Cook
2023-03-02 19:48 ` Eric Biggers
2023-03-02 18:41 ` Al Viro
2023-03-03 14:49 ` Christian Brauner
2023-03-02 18:11 ` Al Viro
2023-03-03 14:27 ` Christian Brauner
2023-02-28 1:14 ` [PATCH v3 1/2] capability: add cap_isidentical Linus Torvalds
2023-02-28 2:46 ` Casey Schaufler
2023-02-28 14:47 ` Mateusz Guzik
2023-02-28 19:39 ` Linus Torvalds
2023-02-28 19:51 ` Linus Torvalds
2023-02-28 20:48 ` Linus Torvalds
2023-02-28 21:21 ` Mateusz Guzik
2023-02-28 21:29 ` Linus Torvalds
2023-03-01 18:13 ` Linus Torvalds
2023-02-28 17:32 ` Serge E. Hallyn
2023-02-28 17:52 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZAD2gEQA6edzMJvl@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.