From: Josef Bacik <josef@toxicpanda.com>
To: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: ansgar.loesser@kom.tu-darmstadt.de,
"Darrick J. Wong" <djwong@kernel.org>,
"Christoph Hellwig" <hch@lst.de>,
"Amir Goldstein" <amir73il@gmail.com>,
"Mark Fasheh" <mark@fasheh.com>,
"Matthew Wilcox" <willy@infradead.org>,
"Miklos Szeredi" <mszeredi@redhat.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"Security Officers" <security@kernel.org>,
"Max Schlecht" <max.schlecht@informatik.hu-berlin.de>,
"Björn Scheuermann" <scheuermann@kom.tu-darmstadt.de>
Subject: Re: Information Leak: FIDEDUPERANGE ioctl allows reading writeonly files
Date: Tue, 12 Jul 2022 16:03:56 -0400 [thread overview]
Message-ID: <Ys3TrAf95FpRgr+P@localhost.localdomain> (raw)
In-Reply-To: <CAHk-=wgEgAjX5gRntm0NutaNtjkzN+OaJVMaJAqved4dxPtAqw@mail.gmail.com>
On Tue, Jul 12, 2022 at 12:07:46PM -0700, Linus Torvalds wrote:
> On Tue, Jul 12, 2022 at 12:02 PM Josef Bacik <josef@toxicpanda.com> wrote:
> >
> > > Any permission checks done at IO time are basically always buggy:
> > > things may have changed since the 'open()', and those changes
> > > explicitly should *not* matter for the IO. That's really fundamentally
> > > how UNIX file permissions work.
> >
> > I don't think we should go this far, after all the normal
> > write()/read() syscalls do the permission checking each time as well,
>
> No, they really don't.
>
> The permission check is ONLY DONE AT OPEN TIME.
>
> Really. Go look.
>
I did, I just misread what rw_verify_area was doing, it's just doing the
security check, not a full POSIX permissions check, my mistake.
> Anything else is a bug. If you open a file, and then change the
> permissions of the file (or the ownership, or whatever) afterwards,
> the open file descriptor is still supposed to be readable or writable.
>
> Doing IO time permission checks is not only wrong, it's ACTIVELY
> BUGGY, and is a fairly common source of security problems (ie passing
> a file descriptor off to a suid binary, and then using the suid
> permissions to make changes that the original opener didn't have the
> rights to do).
>
> So if you do permission checks at read/write time, you are a buggy
> mess. It really is that simple.
>
> This is why read and write check FMODE_READ and FMODE_WRITE. That's
> the *open* time check.
>
> The fact that dedupe does that inode_permission() check at IO time
> really looks completely bogus and buggy.
>
Yeah I'm fine with removing the inode_permission(), I just want to make sure
we're consistent across all of our IO related operations. It looks like at the
very least we're getting security_*_permission on things like
read/write/fallocate, so perhaps switch to that here and call it good enough?
Thanks,
Josef
next prev parent reply other threads:[~2022-07-12 20:04 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 12:11 Information Leak: FIDEDUPERANGE ioctl allows reading writeonly files Ansgar Lößer
2022-07-12 17:33 ` Linus Torvalds
2022-07-12 18:43 ` Matthew Wilcox
2022-07-12 18:47 ` Linus Torvalds
2022-07-12 18:51 ` Linus Torvalds
2022-07-12 19:02 ` Josef Bacik
2022-07-12 19:07 ` Linus Torvalds
2022-07-12 19:23 ` Linus Torvalds
2022-07-12 20:03 ` Josef Bacik [this message]
2022-07-12 20:48 ` Linus Torvalds
2022-07-13 0:48 ` Darrick J. Wong
2022-07-13 2:58 ` Linus Torvalds
2022-07-13 4:14 ` Linus Torvalds
2022-07-13 6:46 ` Dave Chinner
2022-07-13 7:49 ` [PATCH] fs/remap: constrain dedupe of EOF blocks Dave Chinner
2022-07-13 8:19 ` Linus Torvalds
2022-07-13 17:18 ` Ansgar Lößer
2022-07-13 17:26 ` Linus Torvalds
2022-07-13 18:51 ` [PATCH] vf/remap: return the amount of bytes actually deduplicated Ansgar Lößer
2022-07-13 19:09 ` Linus Torvalds
2022-07-14 0:22 ` Dave Chinner
2022-07-14 1:03 ` Linus Torvalds
2022-07-16 21:15 ` Mark Fasheh
2022-07-14 22:32 ` Dave Chinner
2022-07-14 22:42 ` Linus Torvalds
2022-07-14 23:15 ` Dave Chinner
2022-07-13 8:16 ` Information Leak: FIDEDUPERANGE ioctl allows reading writeonly files Linus Torvalds
2022-07-13 23:48 ` Dave Chinner
2022-07-13 17:17 ` Ansgar Lößer
2022-07-13 17:16 ` Ansgar Lößer
2022-07-13 22:43 ` Dave Chinner
2022-07-13 17:14 ` Ansgar Lößer
2022-07-13 18:03 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ys3TrAf95FpRgr+P@localhost.localdomain \
--to=josef@toxicpanda.com \
--cc=amir73il@gmail.com \
--cc=ansgar.loesser@kom.tu-darmstadt.de \
--cc=djwong@kernel.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=max.schlecht@informatik.hu-berlin.de \
--cc=mszeredi@redhat.com \
--cc=scheuermann@kom.tu-darmstadt.de \
--cc=security@kernel.org \
--cc=torvalds@linuxfoundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).