From: Linus Torvalds <torvalds@linux-foundation.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
LSM List <linux-security-module@vger.kernel.org>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
SElinux list <selinux@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Eric Biederman <ebiederm@xmission.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Matthew Wilcox <willy@infradead.org>,
Stephen Brennan <stephen.s.brennan@oracle.com>
Subject: Re: [PATCH v4] proc: Allow pid_revalidate() during LOOKUP_RCU
Date: Tue, 5 Jan 2021 12:38:31 -0800 [thread overview]
Message-ID: <CAHk-=wiP9EAP=JHGKG5LUCusVjVzTQoPVyweJkrX5dP=T_NxXw@mail.gmail.com> (raw)
In-Reply-To: <20210105195937.GX3579531@ZenIV.linux.org.uk>
On Tue, Jan 5, 2021 at 12:00 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> We are not guaranteed the locking environment that would prevent
> dentry getting renamed right under us. And it's possible for
> old long name to be freed after rename, leading to UAF here.
This whole thing isn't important enough to get the dentry lock. It's
more of a hint than anything else.
Why isn't the fix to just use READ_ONCE() of the name pointer, and do
it under RCU?
That's what dentry_name() does for the much more complex case of
actually even following parent data for a depth up to 4, much less
just a single name.
So instead of
spin_lock(&dentry->d_lock);
audit_log_untrustedstring(ab, dentry->d_name.name);
spin_unlock(&dentry->d_lock);
why not
rcu_read_lock();
audit_log_untrustedstring(ab,
READ_ONCE(dentry->d_name.name));
rcu_read_unlock();
which looks a lot more in line with the other dentry path functions.
Maybe even have this as part of fs/d_path.c and try to get rid of
magic internal dentry name knowledge from the audit code?
Linus
next prev parent reply other threads:[~2021-01-05 20:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-04 23:21 [PATCH v4] proc: Allow pid_revalidate() during LOOKUP_RCU Stephen Brennan
2021-01-05 5:59 ` Al Viro
2021-01-05 16:50 ` Al Viro
2021-01-05 17:45 ` Al Viro
2021-01-05 19:59 ` Al Viro
2021-01-05 20:38 ` Linus Torvalds [this message]
2021-01-05 21:12 ` Al Viro
2021-01-05 23:25 ` Stephen Brennan
2021-01-06 0:00 ` Paul Moore
2021-01-06 0:38 ` Al Viro
2021-01-06 2:43 ` Paul Moore
2021-01-14 22:51 ` Stephen Brennan
2021-01-06 0:56 ` Stephen Brennan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wiP9EAP=JHGKG5LUCusVjVzTQoPVyweJkrX5dP=T_NxXw@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=adobriyan@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.s.brennan@oracle.com \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.