From: Al Viro <viro@zeniv.linux.org.uk>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: Song Liu <songliubraving@fb.com>,
linux-ia64@vger.kernel.org, linux-doc@vger.kernel.org,
Peter Zijlstra <peterz@infradead.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Alexei Starovoitov <ast@kernel.org>,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org,
containers@lists.linux-foundation.org,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-api@vger.kernel.org, Shuah Khan <shuah@kernel.org>,
linux-arch@vger.kernel.org, linux-s390@vger.kernel.org,
Tycho Andersen <tycho@tycho.ws>,
Daniel Borkmann <daniel@iogearbox.net>,
Jonathan Corbet <corbet@lwn.net>, Jiri Olsa <jolsa@redhat.com>,
linux-sh@vger.kernel.org,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
linux-arm-kernel@lists.infradead.org, Yonghong Song <yhs@fb.com>,
linux-mips@vger.kernel.org, Andrii Nakryiko <andriin@fb.com>,
bpf@vger.kernel.org, linux-xtensa@linux-xtensa.org,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
Jann Horn <jannh@google.com>,
linuxppc-dev@lists.ozlabs.org, dev@opencontainers.org,
linux-m68k@lists.linux-m68k.org,
Andy Lutomirski <luto@kernel.org>,
Shuah Khan <skhan@linuxfoundation.org>,
Namhyung Kim <namhyung@kernel.org>,
David Drysdale <drysdale@google.com>,
Christian Brauner <christian@brauner.io>,
"J. Bruce Fields" <bfields@fieldses.org>,
libc-alpha@sourceware.org, Aleksa Sarai <asarai@suse.de>,
linux-parisc@vger.kernel.org, netdev@vger.kernel.org,
Chanho Min <chanho.min@lge.com>, Jeff Layton <jlayton@kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
linux-alpha@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Martin KaFai Lau <kafai@fb.com>
Subject: Re: [PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution
Date: Mon, 25 Nov 2019 00:26:04 +0000 [thread overview]
Message-ID: <20191125002604.GE4203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20191117011713.13032-9-cyphar@cyphar.com>
On Sun, Nov 17, 2019 at 12:17:08PM +1100, Aleksa Sarai wrote:
> + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) {
> + /*
> + * Do a final check to ensure that the path didn't escape. Note
> + * that this should already be guaranteed by all of the other
> + * LOOKUP_IS_SCOPED checks (and delaying this check this late
> + * does open the door to some possible timing-based attacks).
> + */
> + if (WARN_ON(!path_is_under(&nd->path, &nd->root)))
> + return -EXDEV;
I don't like that. What it gives is an ability to race that with
rename(), with user-triggered WARN_ON. You *can't* promise that result of
lookup is in a subtree, simply because it can get moved just as you've
declared it to be in the clear.
Anyone who relies upon that is delusional; it really can't be done.
What warranties LOOKUP_IS_SCOPED is really supposed to provide? That we do not
attempt to walk out of the subtree rooted at the start point? Fine, but this
is not what this test does. What are you trying to achieve there? If it's
"what we'd got was at one point in our subtree", the test is more or less
right, but WARN_ON isn't.
next prev parent reply other threads:[~2019-11-25 0:30 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-17 1:17 [PATCH v17 00/13] open: introduce openat2(2) syscall Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 01/13] namei: only return -ECHILD from follow_dotdot_rcu() Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 02/13] nsfs: clean-up ns_get_path() signature to return int Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 03/13] namei: allow nd_jump_link() to produce errors Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 04/13] namei: allow set_root() " Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 05/13] namei: LOOKUP_NO_SYMLINKS: block symlink resolution Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 06/13] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 07/13] namei: LOOKUP_NO_XDEV: block mountpoint crossing Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-25 0:26 ` Al Viro [this message]
2019-11-25 6:03 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 09/13] namei: LOOKUP_IN_ROOT: chroot-like " Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT,BENEATH}: " Aleksa Sarai
2019-11-25 0:35 ` Al Viro
2019-11-25 13:21 ` Aleksa Sarai
2019-11-28 10:10 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 11/13] open: introduce openat2(2) syscall Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-25 0:37 ` Al Viro
2019-11-17 1:17 ` [PATCH v17 12/13] selftests: add openat2(2) selftests Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:28 ` [PATCH v17 13/13] Documentation: path-lookup: include new LOOKUP flags Aleksa Sarai
2019-11-17 1:28 ` Aleksa Sarai
2019-11-25 0:39 ` [PATCH v17 00/13] open: introduce openat2(2) syscall Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191125002604.GE4203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andriin@fb.com \
--cc=arnd@arndb.de \
--cc=asarai@suse.de \
--cc=ast@kernel.org \
--cc=bfields@fieldses.org \
--cc=bpf@vger.kernel.org \
--cc=chanho.min@lge.com \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=dev@opencontainers.org \
--cc=dhowells@redhat.com \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=jolsa@redhat.com \
--cc=kafai@fb.com \
--cc=keescook@chromium.org \
--cc=libc-alpha@sourceware.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux-xtensa@linux-xtensa.org \
--cc=linux@rasmusvillemoes.dk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=shuah@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=songliubraving@fb.com \
--cc=sparclinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tycho@tycho.ws \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).