[WTF][landlock] d_is_negative(fd_file(f)->f

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [WTF][landlock] d_is_negative(fd_file(f)->f_path.dentry) ???
@ 2025-04-24 22:00 Al Viro
  2025-04-25  9:38 ` Mickaël Salaün
  0 siblings, 1 reply; 2+ messages in thread
From: Al Viro @ 2025-04-24 22:00 UTC (permalink / raw)
  To: linux-security-module; +Cc: linux-fsdevel


static int get_path_from_fd(const s32 fd, struct path *const path)
{
...
        if ((fd_file(f)->f_op == &ruleset_fops) ||
            (fd_file(f)->f_path.mnt->mnt_flags & MNT_INTERNAL) ||
            (fd_file(f)->f_path.dentry->d_sb->s_flags & SB_NOUSER) ||
            d_is_negative(fd_file(f)->f_path.dentry) ||
            IS_PRIVATE(d_backing_inode(fd_file(f)->f_path.dentry)))
                return -EBADFD;

	Folks, could somebody explain how exactly can an opened file
come to have a _negative_ dentry?  And if you have found a way for that
to happen, why didn't you report the arseloads of NULL pointer dereference
bugs that would expose, along with assorted memory corruptors, etc.?

	Normally I would just quietly rip the bogus check out, but on
the off-chance that somebody _has_ found a bug that would cause that,
I would prefer to check with those who had added the check in the first
place.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [WTF][landlock] d_is_negative(fd_file(f)->f_path.dentry) ???
  2025-04-24 22:00 [WTF][landlock] d_is_negative(fd_file(f)->f_path.dentry) ??? Al Viro
@ 2025-04-25  9:38 ` Mickaël Salaün
  0 siblings, 0 replies; 2+ messages in thread
From: Mickaël Salaün @ 2025-04-25  9:38 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-security-module, linux-fsdevel, Günther Noack

On Thu, Apr 24, 2025 at 11:00:11PM +0100, Al Viro wrote:
> 
> static int get_path_from_fd(const s32 fd, struct path *const path)
> {
> ...
>         if ((fd_file(f)->f_op == &ruleset_fops) ||
>             (fd_file(f)->f_path.mnt->mnt_flags & MNT_INTERNAL) ||
>             (fd_file(f)->f_path.dentry->d_sb->s_flags & SB_NOUSER) ||
>             d_is_negative(fd_file(f)->f_path.dentry) ||
>             IS_PRIVATE(d_backing_inode(fd_file(f)->f_path.dentry)))
>                 return -EBADFD;
> 
> 	Folks, could somebody explain how exactly can an opened file
> come to have a _negative_ dentry?  And if you have found a way for that
> to happen, why didn't you report the arseloads of NULL pointer dereference
> bugs that would expose, along with assorted memory corruptors, etc.?

I wasn't sure if it was possible or not (for any possible FD), and as a
preventive approach I preferred to check that before dereferencing the
inode.

> 
> 	Normally I would just quietly rip the bogus check out, but on
> the off-chance that somebody _has_ found a bug that would cause that,
> I would prefer to check with those who had added the check in the first
> place.

Thanks for the heads up.  I don't have a specific scenario in mind, feel
free to remove this check if it looks overcautious to you.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-04-25  9:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-24 22:00 [WTF][landlock] d_is_negative(fd_file(f)->f_path.dentry) ??? Al Viro
2025-04-25  9:38 ` Mickaël Salaün

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).