From: Al Viro <viro@zeniv.linux.org.uk>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] umh: fix refcount underflow in fork_usermode_blob().
Date: Thu, 12 Mar 2020 14:38:01 +0000 [thread overview]
Message-ID: <20200312143801.GJ23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <2a8775b4-1dd5-9d5c-aa42-9872445e0942@i-love.sakura.ne.jp>
On Thu, Mar 12, 2020 at 10:43:00PM +0900, Tetsuo Handa wrote:
> Before thinking how to fix a bug that tomoyo_realpath_nofollow() from
> tomoyo_find_next_domain() likely fails with -ENOENT whenever
> fork_usermode_blob() is used because 449325b52b7a6208 did not take into
> account that TOMOYO security module needs to calculate symlink's pathname,
> is this a correct fix for a bug that file_inode(file)->i_writecount != 0
> and file->f_count < 0 ?
> - if (!file)
> + if (!file) {
> file = do_open_execat(fd, filename, flags);
> - retval = PTR_ERR(file);
> - if (IS_ERR(file))
> - goto out_unmark;
> + retval = PTR_ERR(file);
> + if (IS_ERR(file))
> + goto out_unmark;
> + } else {
> + retval = deny_write_access(file);
> + if (retval)
> + goto out_unmark;
> + get_file(file);
> + }
*UGH*
Something's certainly fishy with the refcounting there.
First of all, bprm->file is a counting reference (observe what
free_bprm() is doing). So as it is, on success __do_execve_file()
consumes the reference passed to it in 'file', ditto for
do_execve_file(). However, it's inconsistent - failure of e.g.
bprm allocation leaves the reference unconsumed. Your change
makes it consistent in that respect, but it means that in normal
case you are getting refcount higher by 1 than the mainline.
Does the mainline have an extra fput() *in* *normal* *case*?
I can easily believe in buggered cleanups on failure, but...
Has that code ever been tested?
It _does_ look like that double-fput() is real, but
I'd like a confirmation before going further - umh is convoluted
enough for something subtle to be hidden there. Alexei, what
the refcounting behaviour was supposed to be? As in "this
function consumes the reference passed to it in this argument",
etc.
next prev parent reply other threads:[~2020-03-12 14:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-12 13:43 [PATCH] umh: fix refcount underflow in fork_usermode_blob() Tetsuo Handa
2020-03-12 14:38 ` Al Viro [this message]
2020-03-13 9:46 ` Tetsuo Handa
2020-03-20 10:31 ` Tetsuo Handa
2020-03-27 0:51 ` [PATCH (repost)] " Tetsuo Handa
2020-03-29 0:55 ` Andrew Morton
2020-03-29 4:28 ` Tetsuo Handa
2020-03-29 3:17 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200312143801.GJ23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=ast@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).