All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
	linux-fsdevel@vger.kernel.org,
	syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com>,
	jmorris@namei.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, serge@hallyn.com,
	syzkaller-bugs@googlegroups.com, takedakn@nttdata.co.jp,
	"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v2] tomoyo: Don't check open/getattr permission on sockets.
Date: Thu, 22 Aug 2019 08:47:59 -0700	[thread overview]
Message-ID: <20190822154759.GA2020@zzz.localdomain> (raw)
In-Reply-To: <201908220742.x7M7gQJW078160@www262.sakura.ne.jp>

On Thu, Aug 22, 2019 at 04:42:26PM +0900, Tetsuo Handa wrote:
> Eric Biggers wrote:
> > On Thu, Aug 22, 2019 at 03:55:31PM +0900, Tetsuo Handa wrote:
> > > > Also, isn't the same bug in other places too?:
> > > > 
> > > > 	- tomoyo_path_chmod()
> > > > 	- tomoyo_path_chown()
> > > > 	- smack_inode_getsecurity()
> > > > 	- smack_inode_setsecurity()
> > > 
> > > What's the bug? The file descriptor returned by open(O_PATH) cannot be
> > > passed to read(2), write(2), fchmod(2), fchown(2), fgetxattr(2), mmap(2) etc.
> > > 
> > 
> > chmod(2), chown(2), getxattr(2), and setxattr(2) take a path, not a fd.
> > 
> 
> OK. Then, is the correct fix
> 
>   inode_lock(inode);
>   if (SOCKET_I(inode)->sk) {
>     // Can access SOCKET_I(sock)->sk->*
>   } else {
>     // Already close()d. Don't touch.
>   }
>   inode_unlock(inode);
> 
> thanks to
> 
>   commit 6d8c50dcb029872b ("socket: close race condition between sock_close() and sockfs_setattr()")
>   commit ff7b11aa481f682e ("net: socket: set sock->sk to NULL after calling proto_ops::release()")
> 
> changes?

inode_lock() is already held during security_path_chmod(),
security_path_chown(), and security_inode_setxattr().
So you can't just take it again.

- Eric

      reply	other threads:[~2019-08-22 15:48 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-05 18:42 KASAN: use-after-free Read in tomoyo_realpath_from_path syzbot
2019-06-05 22:09 ` Tetsuo Handa
2019-06-06  2:08 ` Tetsuo Handa
2019-06-06  5:20 ` Tetsuo Handa
2019-06-09  6:41   ` [PATCH] tomoyo: Don't check open/getattr permission on sockets Tetsuo Handa
2019-06-16  6:49     ` Tetsuo Handa
2019-06-18 20:49       ` Al Viro
2019-06-22  4:45         ` [PATCH v2] " Tetsuo Handa
2019-07-04 11:58           ` Tetsuo Handa
2019-07-07  2:44             ` James Morris
2019-07-07  2:50               ` James Morris
2019-08-09 15:51                 ` Tetsuo Handa
2019-09-03  6:52                 ` Tetsuo Handa
2019-09-13 13:41                   ` Tetsuo Handa
     [not found]                     ` <A9CE5147-4047-4C42-B772-F0ED510FA283@canb.auug.org.au>
2019-10-02 10:50                       ` Tetsuo Handa
2019-10-02 22:25                         ` Stephen Rothwell
2019-10-03  9:59                           ` Tetsuo Handa
2019-11-13 13:49                             ` Tetsuo Handa
2019-11-21  7:21                               ` James Morris
2019-11-21 10:18                                 ` Tetsuo Handa
2019-11-21 13:59                                   ` Tetsuo Handa
2019-12-04 12:50                                     ` Tetsuo Handa
2019-12-09 21:37                                       ` James Morris
2019-12-10 10:21                                         ` Tetsuo Handa
2019-12-10 23:02                                           ` Stephen Rothwell
2019-12-11 11:19                                             ` Tetsuo Handa
2019-10-02 22:22                     ` Stephen Rothwell
2019-08-22  6:30           ` Eric Biggers
2019-08-22  6:55             ` Tetsuo Handa
2019-08-22  7:01               ` Eric Biggers
2019-08-22  7:42                 ` Tetsuo Handa
2019-08-22 15:47                   ` Eric Biggers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190822154759.GA2020@zzz.localdomain \
    --to=ebiggers@kernel.org \
    --cc=davem@davemloft.net \
    --cc=jmorris@namei.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=serge@hallyn.com \
    --cc=syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=takedakn@nttdata.co.jp \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.