From: Eric Biggers <ebiggers@kernel.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com>,
jmorris@namei.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, serge@hallyn.com,
syzkaller-bugs@googlegroups.com, takedakn@nttdata.co.jp,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v2] tomoyo: Don't check open/getattr permission on sockets.
Date: Thu, 22 Aug 2019 08:47:59 -0700 [thread overview]
Message-ID: <20190822154759.GA2020@zzz.localdomain> (raw)
In-Reply-To: <201908220742.x7M7gQJW078160@www262.sakura.ne.jp>
On Thu, Aug 22, 2019 at 04:42:26PM +0900, Tetsuo Handa wrote:
> Eric Biggers wrote:
> > On Thu, Aug 22, 2019 at 03:55:31PM +0900, Tetsuo Handa wrote:
> > > > Also, isn't the same bug in other places too?:
> > > >
> > > > - tomoyo_path_chmod()
> > > > - tomoyo_path_chown()
> > > > - smack_inode_getsecurity()
> > > > - smack_inode_setsecurity()
> > >
> > > What's the bug? The file descriptor returned by open(O_PATH) cannot be
> > > passed to read(2), write(2), fchmod(2), fchown(2), fgetxattr(2), mmap(2) etc.
> > >
> >
> > chmod(2), chown(2), getxattr(2), and setxattr(2) take a path, not a fd.
> >
>
> OK. Then, is the correct fix
>
> inode_lock(inode);
> if (SOCKET_I(inode)->sk) {
> // Can access SOCKET_I(sock)->sk->*
> } else {
> // Already close()d. Don't touch.
> }
> inode_unlock(inode);
>
> thanks to
>
> commit 6d8c50dcb029872b ("socket: close race condition between sock_close() and sockfs_setattr()")
> commit ff7b11aa481f682e ("net: socket: set sock->sk to NULL after calling proto_ops::release()")
>
> changes?
inode_lock() is already held during security_path_chmod(),
security_path_chown(), and security_inode_setxattr().
So you can't just take it again.
- Eric
prev parent reply other threads:[~2019-08-22 15:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0000000000004f43fa058a97f4d3@google.com>
2019-06-06 2:08 ` KASAN: use-after-free Read in tomoyo_realpath_from_path Tetsuo Handa
2019-06-06 5:20 ` Tetsuo Handa
2019-06-09 6:41 ` [PATCH] tomoyo: Don't check open/getattr permission on sockets Tetsuo Handa
2019-06-16 6:49 ` Tetsuo Handa
2019-06-18 20:49 ` Al Viro
2019-06-22 4:45 ` [PATCH v2] " Tetsuo Handa
2019-08-22 6:30 ` Eric Biggers
2019-08-22 6:55 ` Tetsuo Handa
2019-08-22 7:01 ` Eric Biggers
2019-08-22 7:42 ` Tetsuo Handa
2019-08-22 15:47 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190822154759.GA2020@zzz.localdomain \
--to=ebiggers@kernel.org \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=takedakn@nttdata.co.jp \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).