From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Dave Chinner <david@fromorbit.com>,
Christoph Hellwig <hch@lst.de>,
Olga Kornievskaia <olga.kornievskaia@gmail.com>,
Luis Henriques <lhenriques@suse.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-xfs@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
ceph-devel@vger.kernel.org, linux-api@vger.kernel.org,
Dave Chinner <dchinner@redhat.com>
Subject: Re: [PATCH v2 5/8] vfs: copy_file_range needs to strip setuid bits
Date: Tue, 28 May 2019 09:25:53 -0700 [thread overview]
Message-ID: <20190528162553.GE5221@magnolia> (raw)
In-Reply-To: <20190526061100.21761-6-amir73il@gmail.com>
On Sun, May 26, 2019 at 09:10:56AM +0300, Amir Goldstein wrote:
> The file we are copying data into needs to have its setuid bit
> stripped before we start the data copy so that unprivileged users
> can't copy data into executables that are run with root privs.
>
> [Amir] Introduce the helper generic_copy_file_range_prep() modelled
> after generic_remap_file_range_prep(). Helper is called by filesystem
> before the copy_file_range operation and with output inode locked.
>
> For ceph and for default generic_copy_file_range() implementation there
> is no inode lock held throughout the copy operation, so we do best
> effort and remove setuid bit before copy starts. This does not protect
> suid file from changing if suid bit is set after copy started.
Maybe we try to remove suid once more at the end of
generic_copy_file_range if the copy succeeds? It'd still be racy, but I
can't (currently, having drank no coffee yet) think of a general way to
hold both inodes locked during the entire copy operation.
--D
> Signed-off-by: Dave Chinner <dchinner@redhat.com>
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> ---
> fs/ceph/file.c | 9 +++++++++
> fs/cifs/cifsfs.c | 9 ++++++---
> fs/fuse/file.c | 4 ++++
> fs/nfs/nfs42proc.c | 8 +++++---
> fs/read_write.c | 31 +++++++++++++++++++++++++++++++
> include/linux/fs.h | 2 ++
> 6 files changed, 57 insertions(+), 6 deletions(-)
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index e87f7b2023af..54cfc877a6ef 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -1947,6 +1947,15 @@ static ssize_t __ceph_copy_file_range(struct file *src_file, loff_t src_off,
> goto out;
> }
>
> + /* Should inode lock be held throughout the copy operation? */
> + inode_lock(dst_inode);
> + ret = generic_copy_file_range_prep(src_file, dst_file);
> + inode_unlock(dst_inode);
> + if (ret < 0) {
> + dout("failed to copy from src to dst file (%zd)\n", ret);
> + goto out;
> + }
> +
> /*
> * We need FILE_WR caps for dst_ci and FILE_RD for src_ci as other
> * clients may have dirty data in their caches. And OSDs know nothing
> diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
> index c65823270313..e103b499aaa8 100644
> --- a/fs/cifs/cifsfs.c
> +++ b/fs/cifs/cifsfs.c
> @@ -1096,6 +1096,10 @@ ssize_t cifs_file_copychunk_range(unsigned int xid,
> goto out;
> }
>
> + rc = -EOPNOTSUPP;
> + if (!target_tcon->ses->server->ops->copychunk_range)
> + goto out;
> +
> /*
> * Note: cifs case is easier than btrfs since server responsible for
> * checks for proper open modes and file type and if it wants
> @@ -1107,11 +1111,10 @@ ssize_t cifs_file_copychunk_range(unsigned int xid,
> /* should we flush first and last page first */
> truncate_inode_pages(&target_inode->i_data, 0);
>
> - if (target_tcon->ses->server->ops->copychunk_range)
> + rc = generic_copy_file_range_prep(src_file, dst_file);
> + if (!rc)
> rc = target_tcon->ses->server->ops->copychunk_range(xid,
> smb_file_src, smb_file_target, off, len, destoff);
> - else
> - rc = -EOPNOTSUPP;
>
> /* force revalidate of size and timestamps of target file now
> * that target is updated on the server
> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> index e03901ae729b..3531d4a3d9ec 100644
> --- a/fs/fuse/file.c
> +++ b/fs/fuse/file.c
> @@ -3128,6 +3128,10 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
>
> inode_lock(inode_out);
>
> + err = generic_copy_file_range_prep(file_in, file_out);
> + if (err)
> + goto out;
> +
> if (fc->writeback_cache) {
> err = filemap_write_and_wait_range(inode_out->i_mapping,
> pos_out, pos_out + len);
> diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
> index 5196bfa7894d..b387951e1d86 100644
> --- a/fs/nfs/nfs42proc.c
> +++ b/fs/nfs/nfs42proc.c
> @@ -345,9 +345,11 @@ ssize_t nfs42_proc_copy(struct file *src, loff_t pos_src,
>
> do {
> inode_lock(file_inode(dst));
> - err = _nfs42_proc_copy(src, src_lock,
> - dst, dst_lock,
> - &args, &res);
> + err = generic_copy_file_range_prep(src, dst);
> + if (!err)
> + err = _nfs42_proc_copy(src, src_lock,
> + dst, dst_lock,
> + &args, &res);
> inode_unlock(file_inode(dst));
>
> if (err >= 0)
> diff --git a/fs/read_write.c b/fs/read_write.c
> index b0fb1176b628..e16bcafc0da2 100644
> --- a/fs/read_write.c
> +++ b/fs/read_write.c
> @@ -1565,6 +1565,28 @@ COMPAT_SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd,
> }
> #endif
>
> +/*
> + * Prepare inodes for copy from @file_in to @file_out.
> + *
> + * Caller must hold output inode lock.
> + */
> +int generic_copy_file_range_prep(struct file *file_in, struct file *file_out)
> +{
> + int ret;
> +
> + WARN_ON_ONCE(!inode_is_locked(file_inode(file_out)));
> +
> + /*
> + * Clear the security bits if the process is not being run by root.
> + * This keeps people from modifying setuid and setgid binaries.
> + */
> + ret = file_remove_privs(file_out);
> +
> + return ret;
> +
> +}
> +EXPORT_SYMBOL(generic_copy_file_range_prep);
> +
> /**
> * generic_copy_file_range - copy data between two files
> * @file_in: file structure to read from
> @@ -1590,6 +1612,15 @@ ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
> struct file *file_out, loff_t pos_out,
> size_t len, unsigned int flags)
> {
> + int ret;
> +
> + /* Should inode lock be held throughout the copy operation? */
> + inode_lock(file_inode(file_out));
> + ret = generic_copy_file_range_prep(file_in, file_out);
> + inode_unlock(file_inode(file_out));
> + if (ret)
> + return ret;
> +
> return do_splice_direct(file_in, &pos_in, file_out, &pos_out,
> len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0);
> }
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index e4d382c4342a..3e03a96d9ab6 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -1889,6 +1889,8 @@ extern ssize_t vfs_readv(struct file *, const struct iovec __user *,
> unsigned long, loff_t *, rwf_t);
> extern ssize_t vfs_copy_file_range(struct file *, loff_t , struct file *,
> loff_t, size_t, unsigned int);
> +extern int generic_copy_file_range_prep(struct file *file_in,
> + struct file *file_out);
> extern ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
> struct file *file_out, loff_t pos_out,
> size_t len, unsigned int flags);
> --
> 2.17.1
>
next prev parent reply other threads:[~2019-05-28 16:26 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-26 6:10 [PATCH v2 0/8] Fixes for major copy_file_range() issues Amir Goldstein
2019-05-26 6:10 ` [PATCH v2 1/8] vfs: introduce generic_copy_file_range() Amir Goldstein
2019-05-28 16:11 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 2/8] vfs: no fallback for ->copy_file_range Amir Goldstein
2019-05-28 16:09 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 3/8] vfs: introduce generic_file_rw_checks() Amir Goldstein
2019-05-28 16:14 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 4/8] vfs: add missing checks to copy_file_range Amir Goldstein
2019-05-28 16:18 ` Darrick J. Wong
2019-05-28 16:26 ` Amir Goldstein
2019-05-28 16:31 ` Darrick J. Wong
2019-05-28 16:39 ` Amir Goldstein
2019-05-26 6:10 ` [PATCH v2 5/8] vfs: copy_file_range needs to strip setuid bits Amir Goldstein
2019-05-28 16:25 ` Darrick J. Wong [this message]
2019-05-31 19:34 ` J. Bruce Fields
2019-05-26 6:10 ` [PATCH v2 6/8] vfs: copy_file_range should update file timestamps Amir Goldstein
2019-05-27 14:35 ` Luis Henriques
2019-05-27 22:05 ` Dave Chinner
2019-05-28 8:53 ` Luis Henriques
2019-05-28 16:30 ` Darrick J. Wong
2019-05-28 16:36 ` Amir Goldstein
2019-05-26 6:10 ` [PATCH v2 7/8] vfs: allow copy_file_range to copy across devices Amir Goldstein
2019-05-28 16:34 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 8/8] vfs: remove redundant checks from generic_remap_checks() Amir Goldstein
2019-05-28 16:37 ` Darrick J. Wong
2019-05-26 6:11 ` [PATCH v2 9/8] man-pages: copy_file_range updates Amir Goldstein
2019-05-28 16:48 ` Darrick J. Wong
2019-05-29 16:20 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190528162553.GE5221@magnolia \
--to=darrick.wong@oracle.com \
--cc=amir73il@gmail.com \
--cc=ceph-devel@vger.kernel.org \
--cc=david@fromorbit.com \
--cc=dchinner@redhat.com \
--cc=hch@lst.de \
--cc=lhenriques@suse.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=olga.kornievskaia@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).