From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 424C7C43381 for ; Fri, 8 Mar 2019 15:45:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0F93F2087C for ; Fri, 8 Mar 2019 15:45:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="G+3snMhy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726351AbfCHPpU (ORCPT ); Fri, 8 Mar 2019 10:45:20 -0500 Received: from mail-vs1-f65.google.com ([209.85.217.65]:37730 "EHLO mail-vs1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726171AbfCHPpU (ORCPT ); Fri, 8 Mar 2019 10:45:20 -0500 Received: by mail-vs1-f65.google.com with SMTP id y19so6906950vsc.4 for ; Fri, 08 Mar 2019 07:45:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5Eh6OTkzeYmdFAXvyb/tu2GzTPO0xIDCCGoJGYDsDKc=; b=G+3snMhymHm4iqRBAX0Ilitt4hnfVmZPzotSJPwLQf+FGfIbayFxpDVE1xVW+iQO/l CurC6HpOqNxWMpG6sN14fqDXlGVPEfb5rsb/x60pDDvNGHgf7PSNdSh+lwLke6XDIUHt 4bM4xY5LFJW2cWwiPHPLjrJaPJ1NQ2fXyb0PI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5Eh6OTkzeYmdFAXvyb/tu2GzTPO0xIDCCGoJGYDsDKc=; b=CKQEofnykcP5nj+b2eKy5esXhtHRUfxJpBGAmb7oElGV+GWY+HP5QpFgLW8bXYk3FE HLqEnukciJNdyVYQupgx+kHN+QNZRgv/GdxdYm3KNIiQ6BYJB6mWRODoNEoaJFLgLhKe XI4NzG7w/9KD4sB2X4j1iUho1vi0WHY1pCE4GQkDbXBPGn+sjJzRUq4vY7SxVZ+xjhis M0DRYKjztM0ylXuywz2+FOUBIbZJi+0LdnsYy7cusJ6mpsoFVPSgi5zNDB5lNmauy9IU IwX61+871dlyPgdc+yrr3W9WSPA9uB3pwbv+Oo7E5KTcDoRAKjLTbJZFyjUxPHHgtTjb PKyw== X-Gm-Message-State: APjAAAXI5DDbHzV4SU0AnJe7+xqBNm3ZPQfxDukM6RgU7cXcmIGokto5 fdsUnMKkVFOebNfVRUv6KsOY/h/EC0M= X-Google-Smtp-Source: APXvYqxN74rXN8X8YUPclt7ZD0FJPpyHP5AjKiibljlLgDzwuiQ5pXIpjLf8Xxdo6XwZX6e8XgpulA== X-Received: by 2002:a67:f895:: with SMTP id h21mr7583190vso.2.1552059917332; Fri, 08 Mar 2019 07:45:17 -0800 (PST) Received: from mail-vk1-f175.google.com (mail-vk1-f175.google.com. [209.85.221.175]) by smtp.gmail.com with ESMTPSA id q12sm3181517vkf.42.2019.03.08.07.45.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Mar 2019 07:45:16 -0800 (PST) Received: by mail-vk1-f175.google.com with SMTP id w85so4662456vkw.11 for ; Fri, 08 Mar 2019 07:45:15 -0800 (PST) X-Received: by 2002:a1f:a5d3:: with SMTP id o202mr9726134vke.40.1552059915439; Fri, 08 Mar 2019 07:45:15 -0800 (PST) MIME-Version: 1.0 References: <1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> In-Reply-To: <1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> From: Kees Cook Date: Fri, 8 Mar 2019 07:45:02 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 (resend)] fs: Allow opening only regular files during execve(). To: Tetsuo Handa , Andrew Morton Cc: Al Viro , Eric Biggers , Dmitry Vyukov , "linux-fsdevel@vger.kernel.org" , syzbot Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Fri, Mar 8, 2019 at 3:20 AM Tetsuo Handa wrote: > > syzbot is hitting lockdep warning [1] due to trying to open a fifo during > an execve() operation. But we don't need to open non regular files during > an execve() operation, for all files which we will need are the executable > file itself and the interpreter programs like /bin/sh and ld-linux.so.2 . > > Since the manpage for execve(2) says that execve() returns EACCES when > the file or a script interpreter is not a regular file, and the manpage > for uselib(2) says that uselib() can return EACCES, and we use FMODE_EXEC > when opening for execve()/uselib(), we can bail out if a non regular file > is requested with FMODE_EXEC set. > > Since this deadlock followed by khungtaskd warnings is trivially > reproducible by a local unprivileged user, and syzbot's frequent > crash due to this deadlock defers finding other bugs, let's workaround > this deadlock until we get a chance to find a better solution. > > [1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce > > Reported-by: syzbot > Signed-off-by: Tetsuo Handa > Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()") > Cc: # 4.9+ Acked-by: Kees Cook Andrew, can you take this for -mm? -Kees > --- > fs/open.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/open.c b/fs/open.c > index 0285ce7..f1c2f85 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f, > return 0; > } > > + /* Any file opened for execve()/uselib() has to be a regular file. */ > + if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { > + error = -EACCES; > + goto cleanup_file; > + } > + > if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { > error = get_write_access(inode); > if (unlikely(error)) > -- > 1.8.3.1 > -- Kees Cook