From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Eric Sandeen <sandeen@sandeen.net>,
linux-xfs@vger.kernel.org, jack@suse.com, jeffm@suse.com,
okurz@suse.com, lpechacek@suse.com, jtulak@redhat.com
Subject: Re: [PATCH v5 4/4] mkfs.xfs: add configuration file parsing support using our own parser
Date: Mon, 11 Jun 2018 18:02:00 -0700 [thread overview]
Message-ID: <20180612010200.GK22045@magnolia> (raw)
In-Reply-To: <20180612002352.GB5527@wotan.suse.de>
On Tue, Jun 12, 2018 at 02:23:52AM +0200, Luis R. Rodriguez wrote:
> On Mon, Jun 11, 2018 at 06:12:01PM -0500, Eric Sandeen wrote:
> > Darrick pointed out that this is a TOCTOU race between stat-ing and opening.
> > I think it makes more sense to open it, then fstat it, and if it's not ok,
> > close it and error out. LIke this?
> >
> > + fd = openat(AT_FDCWD, cli_config_file, O_NOFOLLOW, O_RDONLY);
> > + if (fd >= 0) {
> > + /* file in CWD or absolute path */
> > + ret = fstat(fd, &st);
The TOCTOU race is between statat (in the original code) and openat --
the statat succeeds and S_ISREG returns true, but someone else removes
and replaces the file path with (say) a socket in between the statat and
the openat, and now we're not reading what we thought we were.
The memcpy works exactly as you point out, but that's not the issue
here.
(Granted, I don't know that we actually /care/ from what kind of
filesystem object the configuration data came, but if that were the case
we wouldn't bother stat'ing.)
--D
> > + if (ret < 0)
> > + goto out_err;
> > +
> > + if (!S_ISREG(st.st_mode)) {
> > + errno = EINVAL;
> > + goto out_err;
> > + }
> > +
> > + memcpy(*fpath, cli_config_file, strlen(cli_config_file));
> > + } else {
>
> I've addressed this but I put the memcpy() to in effect if the file opens
> as the context above is for CLI and if the CLI was used for a config file
> it must exists, otherwise we want to explain which file we used which failed.
>
> For the default it is different, if the default file opens then yes we copy
> the name of the default file, however if it does not exists we immediately
> bail.
>
> Luis
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2018-06-12 1:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-07 23:55 [PATCH v5 0/4] xfsprogs: add mkfs.xfs configuration file parsing support Luis R. Rodriguez
2018-06-07 23:55 ` [PATCH v5 1/4] mkfs: distinguish between struct sb_feat_args and struct cli_params Luis R. Rodriguez
2018-06-07 23:55 ` [PATCH v5 2/4] mkfs: move shared config structs and into their own headers Luis R. Rodriguez
2018-06-07 23:55 ` [PATCH v5 3/4] mkfs: replace defaults source with an enum Luis R. Rodriguez
2018-06-07 23:55 ` [PATCH v5 4/4] mkfs.xfs: add configuration file parsing support using our own parser Luis R. Rodriguez
2018-06-08 22:18 ` Dave Chinner
2018-06-11 23:12 ` Eric Sandeen
2018-06-12 0:23 ` Luis R. Rodriguez
2018-06-12 1:02 ` Darrick J. Wong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180612010200.GK22045@magnolia \
--to=darrick.wong@oracle.com \
--cc=jack@suse.com \
--cc=jeffm@suse.com \
--cc=jtulak@redhat.com \
--cc=linux-xfs@vger.kernel.org \
--cc=lpechacek@suse.com \
--cc=mcgrof@kernel.org \
--cc=okurz@suse.com \
--cc=sandeen@sandeen.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox