From: Kees Cook <keescook@chromium.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: linux-kernel@vger.kernel.org, Sargun Dhillon <sargun@sargun.me>,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Laight <David.Laight@ACULAB.COM>,
Christoph Hellwig <hch@lst.de>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Aleksa Sarai <cyphar@cyphar.com>,
Matt Denton <mpdenton@google.com>, Jann Horn <jannh@google.com>,
Chris Palmer <palmer@google.com>,
Robert Sesek <rsesek@google.com>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>, Shuah Khan <shuah@kernel.org>,
netdev@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v6 1/7] net/scm: Regularize compat handling of scm_detach_fds()
Date: Wed, 8 Jul 2020 16:46:04 -0700 [thread overview]
Message-ID: <202007081636.5458B0B@keescook> (raw)
In-Reply-To: <20200707114103.lkfbt3kdtturp42z@wittgenstein>
On Tue, Jul 07, 2020 at 01:41:03PM +0200, Christian Brauner wrote:
> On Mon, Jul 06, 2020 at 01:17:14PM -0700, Kees Cook wrote:
> > Duplicate the cleanups from commit 2618d530dd8b ("net/scm: cleanup
> > scm_detach_fds") into the compat code.
> >
> > Move the check added in commit 1f466e1f15cf ("net: cleanly handle kernel
> > vs user buffers for ->msg_control") to before the compat call, even
> > though it should be impossible for an in-kernel call to also be compat.
> >
> > Correct the int "flags" argument to unsigned int to match fd_install()
> > and similar APIs.
> >
> > Regularize any remaining differences, including a whitespace issue,
> > a checkpatch warning, and add the check from commit 6900317f5eff ("net,
> > scm: fix PaX detected msg_controllen overflow in scm_detach_fds") which
> > fixed an overflow unique to 64-bit. To avoid confusion when comparing
> > the compat handler to the native handler, just include the same check
> > in the compat handler.
> >
> > Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly")
> > Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
>
> Thanks. Just a comment below.
> Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Thanks!
> > include/net/scm.h | 1 +
> > net/compat.c | 55 +++++++++++++++++++++--------------------------
> > net/core/scm.c | 18 ++++++++--------
> > 3 files changed, 35 insertions(+), 39 deletions(-)
> >
> > diff --git a/include/net/scm.h b/include/net/scm.h
> > index 1ce365f4c256..581a94d6c613 100644
> > --- a/include/net/scm.h
> > +++ b/include/net/scm.h
> > @@ -37,6 +37,7 @@ struct scm_cookie {
> > #endif
> > };
> >
> > +int __scm_install_fd(struct file *file, int __user *ufd, unsigned int o_flags);
> > void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm);
> > void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm);
> > int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm);
> > diff --git a/net/compat.c b/net/compat.c
> > index 5e3041a2c37d..27d477fdcaa0 100644
> > --- a/net/compat.c
> > +++ b/net/compat.c
> > @@ -281,39 +281,31 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
> > return 0;
> > }
> >
> > -void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
> > +static int scm_max_fds_compat(struct msghdr *msg)
> > {
> > - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
> > - int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
> > - int fdnum = scm->fp->count;
> > - struct file **fp = scm->fp->fp;
> > - int __user *cmfptr;
> > - int err = 0, i;
> > + if (msg->msg_controllen <= sizeof(struct compat_cmsghdr))
> > + return 0;
> > + return (msg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
> > +}
> >
> > - if (fdnum < fdmax)
> > - fdmax = fdnum;
> > +void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm)
> > +{
> > + struct compat_cmsghdr __user *cm =
> > + (struct compat_cmsghdr __user *)msg->msg_control;
> > + unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
> > + int fdmax = min_t(int, scm_max_fds_compat(msg), scm->fp->count);
>
> Just a note that SCM_RIGHTS fd-sending is limited to 253 (SCM_MAX_FD)
> fds so min_t should never ouput > SCM_MAX_FD here afaict.
>
> > + int __user *cmsg_data = CMSG_USER_DATA(cm);
> > + int err = 0, i;
> >
> > - for (i = 0, cmfptr = (int __user *) CMSG_COMPAT_DATA(cm); i < fdmax; i++, cmfptr++) {
> > - int new_fd;
> > - err = security_file_receive(fp[i]);
> > + for (i = 0; i < fdmax; i++) {
> > + err = __scm_install_fd(scm->fp->fp[i], cmsg_data + i, o_flags);
> > if (err)
> > break;
> > - err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & kmsg->msg_flags
> > - ? O_CLOEXEC : 0);
> > - if (err < 0)
> > - break;
> > - new_fd = err;
> > - err = put_user(new_fd, cmfptr);
> > - if (err) {
> > - put_unused_fd(new_fd);
> > - break;
> > - }
> > - /* Bump the usage count and install the file. */
> > - fd_install(new_fd, get_file(fp[i]));
> > }
> >
> > if (i > 0) {
> > int cmlen = CMSG_COMPAT_LEN(i * sizeof(int));
> > +
> > err = put_user(SOL_SOCKET, &cm->cmsg_level);
> > if (!err)
> > err = put_user(SCM_RIGHTS, &cm->cmsg_type);
> > @@ -321,16 +313,19 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
> > err = put_user(cmlen, &cm->cmsg_len);
> > if (!err) {
> > cmlen = CMSG_COMPAT_SPACE(i * sizeof(int));
> > - kmsg->msg_control += cmlen;
> > - kmsg->msg_controllen -= cmlen;
> > + if (msg->msg_controllen < cmlen)
> > + cmlen = msg->msg_controllen;
> > + msg->msg_control += cmlen;
> > + msg->msg_controllen -= cmlen;
> > }
> > }
> > - if (i < fdnum)
> > - kmsg->msg_flags |= MSG_CTRUNC;
> > +
> > + if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
>
> I think fdmax can't be < 0 after your changes? scm_max_fds() guarantees
> that fdmax is always >= 0 and min_t() guarantees that fdmax <= scm->fp->count.
> So the check should technically be :)
You left our your suggestion! :) But, I think you mean "== 0" ?
The check actually comes from the refactoring from commit 2618d530dd8b
("net/scm: cleanup scm_detach_fds") which I mostly copy/pasted into
compat. However, fdmax is an int, and scm->fp->count is signed so it's
possible fdmax is < 0 (but I don't think count can actually ever be <
0), but I don't want to refactor all the types just to fix this boundary
condition. :)
--
Kees Cook
next prev parent reply other threads:[~2020-07-08 23:46 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-06 20:17 [PATCH v6 0/7] Add seccomp notifier ioctl that enables adding fds Kees Cook
2020-07-06 20:17 ` [PATCH v6 1/7] net/scm: Regularize compat handling of scm_detach_fds() Kees Cook
2020-07-07 11:41 ` Christian Brauner
2020-07-08 23:46 ` Kees Cook [this message]
2020-07-06 20:17 ` [PATCH v6 2/7] fs: Move __scm_install_fd() to __receive_fd() Kees Cook
2020-07-07 6:49 ` Christoph Hellwig
2020-07-07 11:45 ` Christian Brauner
2020-07-06 20:17 ` [PATCH v6 3/7] fs: Add receive_fd() wrapper for __receive_fd() Kees Cook
2020-07-07 6:49 ` Christoph Hellwig
2020-07-07 11:49 ` Christian Brauner
2020-07-08 23:48 ` Kees Cook
2020-07-06 20:17 ` [PATCH v6 4/7] pidfd: Replace open-coded partial receive_fd() Kees Cook
2020-07-07 12:22 ` Christian Brauner
2020-07-08 23:49 ` Kees Cook
2020-07-09 6:35 ` Kees Cook
2020-07-09 12:54 ` Christian Brauner
2020-07-06 20:17 ` [PATCH v6 5/7] fs: Expand __receive_fd() to accept existing fd Kees Cook
2020-07-07 12:38 ` Christian Brauner
2020-07-08 23:52 ` Kees Cook
2020-07-06 20:17 ` [PATCH v6 6/7] seccomp: Introduce addfd ioctl to seccomp user notifier Kees Cook
2020-07-07 13:30 ` Christian Brauner
2020-07-09 6:12 ` Kees Cook
2020-07-09 13:08 ` Christian Brauner
2020-07-09 6:17 ` [PATCH v6.1 " Kees Cook
2020-07-09 6:22 ` Kees Cook
2020-07-06 20:17 ` [PATCH v6 7/7] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007081636.5458B0B@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@ACULAB.COM \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=kuba@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mpdenton@google.com \
--cc=netdev@vger.kernel.org \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.