From: bfields@fieldses.org (J. Bruce Fields)
To: Amir Goldstein <amir73il@gmail.com>
Cc: "Darrick J . Wong" <darrick.wong@oracle.com>,
Dave Chinner <david@fromorbit.com>,
Christoph Hellwig <hch@lst.de>,
Olga Kornievskaia <olga.kornievskaia@gmail.com>,
Luis Henriques <lhenriques@suse.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org, linux-xfs@vger.kernel.org,
linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
ceph-devel@vger.kernel.org, linux-api@vger.kernel.org,
Dave Chinner <dchinner@redhat.com>
Subject: Re: [PATCH v2 5/8] vfs: copy_file_range needs to strip setuid bits
Date: Fri, 31 May 2019 15:34:23 -0400 [thread overview]
Message-ID: <20190531193423.GA3812@fieldses.org> (raw)
In-Reply-To: <20190526061100.21761-6-amir73il@gmail.com>
On Sun, May 26, 2019 at 09:10:56AM +0300, Amir Goldstein wrote:
> The file we are copying data into needs to have its setuid bit
> stripped before we start the data copy so that unprivileged users
> can't copy data into executables that are run with root privs.
>
> [Amir] Introduce the helper generic_copy_file_range_prep() modelled
> after generic_remap_file_range_prep(). Helper is called by filesystem
> before the copy_file_range operation and with output inode locked.
>
> For ceph and for default generic_copy_file_range() implementation there
> is no inode lock held throughout the copy operation, so we do best
> effort and remove setuid bit before copy starts. This does not protect
> suid file from changing if suid bit is set after copy started.
I'm not sure what it would accomplish to make setuid-clearing atomic
with the write.
If an attacker could write concurrently with your setting the setuid
bit, then they could probably also perform the write just before you set
the setuid bit.
I think clearing it at the start is all that's necessary, unless I'm
missing something.
--b.
>
> Signed-off-by: Dave Chinner <dchinner@redhat.com>
> Signed-off-by: Amir Goldstein <amir73il@gmail.com>
> ---
> fs/ceph/file.c | 9 +++++++++
> fs/cifs/cifsfs.c | 9 ++++++---
> fs/fuse/file.c | 4 ++++
> fs/nfs/nfs42proc.c | 8 +++++---
> fs/read_write.c | 31 +++++++++++++++++++++++++++++++
> include/linux/fs.h | 2 ++
> 6 files changed, 57 insertions(+), 6 deletions(-)
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index e87f7b2023af..54cfc877a6ef 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -1947,6 +1947,15 @@ static ssize_t __ceph_copy_file_range(struct file *src_file, loff_t src_off,
> goto out;
> }
>
> + /* Should inode lock be held throughout the copy operation? */
> + inode_lock(dst_inode);
> + ret = generic_copy_file_range_prep(src_file, dst_file);
> + inode_unlock(dst_inode);
> + if (ret < 0) {
> + dout("failed to copy from src to dst file (%zd)\n", ret);
> + goto out;
> + }
> +
> /*
> * We need FILE_WR caps for dst_ci and FILE_RD for src_ci as other
> * clients may have dirty data in their caches. And OSDs know nothing
> diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
> index c65823270313..e103b499aaa8 100644
> --- a/fs/cifs/cifsfs.c
> +++ b/fs/cifs/cifsfs.c
> @@ -1096,6 +1096,10 @@ ssize_t cifs_file_copychunk_range(unsigned int xid,
> goto out;
> }
>
> + rc = -EOPNOTSUPP;
> + if (!target_tcon->ses->server->ops->copychunk_range)
> + goto out;
> +
> /*
> * Note: cifs case is easier than btrfs since server responsible for
> * checks for proper open modes and file type and if it wants
> @@ -1107,11 +1111,10 @@ ssize_t cifs_file_copychunk_range(unsigned int xid,
> /* should we flush first and last page first */
> truncate_inode_pages(&target_inode->i_data, 0);
>
> - if (target_tcon->ses->server->ops->copychunk_range)
> + rc = generic_copy_file_range_prep(src_file, dst_file);
> + if (!rc)
> rc = target_tcon->ses->server->ops->copychunk_range(xid,
> smb_file_src, smb_file_target, off, len, destoff);
> - else
> - rc = -EOPNOTSUPP;
>
> /* force revalidate of size and timestamps of target file now
> * that target is updated on the server
> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> index e03901ae729b..3531d4a3d9ec 100644
> --- a/fs/fuse/file.c
> +++ b/fs/fuse/file.c
> @@ -3128,6 +3128,10 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in,
>
> inode_lock(inode_out);
>
> + err = generic_copy_file_range_prep(file_in, file_out);
> + if (err)
> + goto out;
> +
> if (fc->writeback_cache) {
> err = filemap_write_and_wait_range(inode_out->i_mapping,
> pos_out, pos_out + len);
> diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
> index 5196bfa7894d..b387951e1d86 100644
> --- a/fs/nfs/nfs42proc.c
> +++ b/fs/nfs/nfs42proc.c
> @@ -345,9 +345,11 @@ ssize_t nfs42_proc_copy(struct file *src, loff_t pos_src,
>
> do {
> inode_lock(file_inode(dst));
> - err = _nfs42_proc_copy(src, src_lock,
> - dst, dst_lock,
> - &args, &res);
> + err = generic_copy_file_range_prep(src, dst);
> + if (!err)
> + err = _nfs42_proc_copy(src, src_lock,
> + dst, dst_lock,
> + &args, &res);
> inode_unlock(file_inode(dst));
>
> if (err >= 0)
> diff --git a/fs/read_write.c b/fs/read_write.c
> index b0fb1176b628..e16bcafc0da2 100644
> --- a/fs/read_write.c
> +++ b/fs/read_write.c
> @@ -1565,6 +1565,28 @@ COMPAT_SYSCALL_DEFINE4(sendfile64, int, out_fd, int, in_fd,
> }
> #endif
>
> +/*
> + * Prepare inodes for copy from @file_in to @file_out.
> + *
> + * Caller must hold output inode lock.
> + */
> +int generic_copy_file_range_prep(struct file *file_in, struct file *file_out)
> +{
> + int ret;
> +
> + WARN_ON_ONCE(!inode_is_locked(file_inode(file_out)));
> +
> + /*
> + * Clear the security bits if the process is not being run by root.
> + * This keeps people from modifying setuid and setgid binaries.
> + */
> + ret = file_remove_privs(file_out);
> +
> + return ret;
> +
> +}
> +EXPORT_SYMBOL(generic_copy_file_range_prep);
> +
> /**
> * generic_copy_file_range - copy data between two files
> * @file_in: file structure to read from
> @@ -1590,6 +1612,15 @@ ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
> struct file *file_out, loff_t pos_out,
> size_t len, unsigned int flags)
> {
> + int ret;
> +
> + /* Should inode lock be held throughout the copy operation? */
> + inode_lock(file_inode(file_out));
> + ret = generic_copy_file_range_prep(file_in, file_out);
> + inode_unlock(file_inode(file_out));
> + if (ret)
> + return ret;
> +
> return do_splice_direct(file_in, &pos_in, file_out, &pos_out,
> len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0);
> }
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index e4d382c4342a..3e03a96d9ab6 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -1889,6 +1889,8 @@ extern ssize_t vfs_readv(struct file *, const struct iovec __user *,
> unsigned long, loff_t *, rwf_t);
> extern ssize_t vfs_copy_file_range(struct file *, loff_t , struct file *,
> loff_t, size_t, unsigned int);
> +extern int generic_copy_file_range_prep(struct file *file_in,
> + struct file *file_out);
> extern ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
> struct file *file_out, loff_t pos_out,
> size_t len, unsigned int flags);
> --
> 2.17.1
next prev parent reply other threads:[~2019-05-31 19:34 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-26 6:10 [PATCH v2 0/8] Fixes for major copy_file_range() issues Amir Goldstein
2019-05-26 6:10 ` [PATCH v2 1/8] vfs: introduce generic_copy_file_range() Amir Goldstein
2019-05-28 16:11 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 2/8] vfs: no fallback for ->copy_file_range Amir Goldstein
2019-05-28 16:09 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 3/8] vfs: introduce generic_file_rw_checks() Amir Goldstein
2019-05-28 16:14 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 4/8] vfs: add missing checks to copy_file_range Amir Goldstein
2019-05-28 16:18 ` Darrick J. Wong
2019-05-28 16:26 ` Amir Goldstein
2019-05-28 16:31 ` Darrick J. Wong
2019-05-28 16:39 ` Amir Goldstein
2019-05-26 6:10 ` [PATCH v2 5/8] vfs: copy_file_range needs to strip setuid bits Amir Goldstein
2019-05-28 16:25 ` Darrick J. Wong
2019-05-31 19:34 ` J. Bruce Fields [this message]
2019-05-26 6:10 ` [PATCH v2 6/8] vfs: copy_file_range should update file timestamps Amir Goldstein
2019-05-27 14:35 ` Luis Henriques
2019-05-27 22:05 ` Dave Chinner
2019-05-28 8:53 ` Luis Henriques
2019-05-28 16:30 ` Darrick J. Wong
2019-05-28 16:36 ` Amir Goldstein
2019-05-26 6:10 ` [PATCH v2 7/8] vfs: allow copy_file_range to copy across devices Amir Goldstein
2019-05-28 16:34 ` Darrick J. Wong
2019-05-26 6:10 ` [PATCH v2 8/8] vfs: remove redundant checks from generic_remap_checks() Amir Goldstein
2019-05-28 16:37 ` Darrick J. Wong
2019-05-26 6:11 ` [PATCH v2 9/8] man-pages: copy_file_range updates Amir Goldstein
2019-05-28 16:48 ` Darrick J. Wong
2019-05-29 16:20 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190531193423.GA3812@fieldses.org \
--to=bfields@fieldses.org \
--cc=amir73il@gmail.com \
--cc=ceph-devel@vger.kernel.org \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=dchinner@redhat.com \
--cc=hch@lst.de \
--cc=lhenriques@suse.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=olga.kornievskaia@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).