From: Aleksa Sarai <cyphar@cyphar.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: David Howells <dhowells@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
stable@vger.kernel.org,
Christian Brauner <christian.brauner@ubuntu.com>,
Serge Hallyn <serge@hallyn.com>,
dev@opencontainers.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH RFC 0/1] mount: universally disallow mounting over symlinks
Date: Mon, 30 Dec 2019 18:29:59 +1100 [thread overview]
Message-ID: <20191230072959.62kcojxpthhdwmfa@yavin.dot.cyphar.com> (raw)
In-Reply-To: <20191230054913.c5avdjqbygtur2l7@yavin.dot.cyphar.com>
[-- Attachment #1.1: Type: text/plain, Size: 4818 bytes --]
On 2019-12-30, Aleksa Sarai <cyphar@cyphar.com> wrote:
> On 2019-12-30, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Mon, Dec 30, 2019 at 04:20:35PM +1100, Aleksa Sarai wrote:
> >
> > > A reasonably detailed explanation of the issues is provided in the patch
> > > itself, but the full traces produced by both the oopses and deadlocks is
> > > included below (it makes little sense to include them in the commit since we
> > > are disabling this feature, not directly fixing the bugs themselves).
> > >
> > > I've posted this as an RFC on whether this feature should be allowed at
> > > all (and if anyone knows of legitimate uses for it), or if we should
> > > work on fixing these other kernel bugs that it exposes.
> >
> > Umm... Are all of those traces
> > a) reproducible on mainline and
>
> This was on viro/for-next, I'll retry it on v5.5-rc4.
The NULL deref oops is reproducible on v5.5-rc4. Strangely it seems
harder to reproduce than on viro/for-next (I kept reproducing it there
by accident), but I'll double-check if that really is the case.
The simplest reproducer is (using the attached programs and .config):
ln -s . link
sudo ./umount_symlink link
There's also a few other whacky behaviours where you get -ELOOP or
-EACCES in cases where you shouldn't -- which results in MNT_DETACH
failing and the mount being impossible to get rid of. A good example is
sudo ./mount_to_symlink /proc/self/exe link
sudo ./umount_symlink link # -EACCES
Or
ln -s . link1
ln -s . link2
sudo ./mount_to_symlink link1 link2
sudo ./umount_symlink link1 # -ELOOP
sudo ./umount_symlink link2 # -ELOOP
But I am trying to find a reproducer for the "umount of a mount
triggering an Oops" issue.
On another note -- I guess this is considered a feature which should
"just work" and not a bug?
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 80000003c6fca067 P4D 80000003c6fca067 PUD 3c6f42067 PMD 0
Oops: 0010 [#1] SMP PTI
CPU: 4 PID: 4486 Comm: umount_symlink Tainted: G E 5.5.0-rc4-cyphar #126
Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET55W (1.30 ) 08/31/2018
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffffb70b82963cc0 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff906d0cc3bb40 RCX: 0000000000000abc
RDX: 0000000000000089 RSI: ffff906d74623cc0 RDI: ffff906d74475df0
RBP: ffff906d74475df0 R08: ffffd70b7fb24c20 R09: ffff906d066a5000
R10: 0000000000000000 R11: 8080807fffffffff R12: ffff906d74623cc0
R13: 0000000000000089 R14: ffffb70b82963dc0 R15: 0000000000000080
FS: 00007fbc2a8f0540(0000) GS:ffff906dcf500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000003c68f8001 CR4: 00000000003606e0
Call Trace:
__lookup_slow+0x94/0x160
lookup_slow+0x36/0x50
path_mountpoint+0x1be/0x360
filename_mountpoint+0xa5/0x150
? __lookup_hash+0xa0/0xa0
ksys_umount+0x78/0x490
__x64_sys_umount+0x12/0x20
do_syscall_64+0x64/0x240
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fbc2a8274e7
Code: 09 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09
00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0
ff ff 73 01 c3 48 8b 0d 69 09 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd1da9b3f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbc2a8274e7
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000001300310
RBP: 00007ffd1da9b4c0 R08: 0000000000000000 R09: 000000000000000f
R10: 00007fbc2a92f800 R11: 0000000000000202 R12: 0000000000401090
R13: 00007ffd1da9b5a0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in: [snip]
CR2: 0000000000000000
---[ end trace ae473813e34e641d ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffffb70b82963cc0 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff906d0cc3bb40 RCX: 0000000000000abc
RDX: 0000000000000089 RSI: ffff906d74623cc0 RDI: ffff906d74475df0
RBP: ffff906d74475df0 R08: ffffd70b7fb24c20 R09: ffff906d066a5000
R10: 0000000000000000 R11: 8080807fffffffff R12: ffff906d74623cc0
R13: 0000000000000089 R14: ffffb70b82963dc0 R15: 0000000000000080
FS: 00007fbc2a8f0540(0000) GS:ffff906dcf500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000003c68f8001 CR4: 00000000003606e0
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #1.2: .config --]
[-- Type: application/x-config, Size: 237462 bytes --]
[-- Attachment #1.3: mount_to_symlink.c --]
[-- Type: text/x-c, Size: 1318 bytes --]
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#define bail(msg) \
do { printf("mount_to_symlink: %s: %m\n", msg); exit(1); } while (0)
int is_symlink(const char *path)
{
struct stat stat = {};
if (lstat(path, &stat) < 0)
bail("lstat(<path>)");
return S_ISLNK(stat.st_mode);
}
int main(int argc, char **argv)
{
struct stat stat = {};
char *src, *dst, *src_fdpath, *dst_fdpath;
int src_fd, dst_fd;
if (argc != 3)
bail("usage: mount_to_symlink <src> <dst>");
src_fdpath = src = argv[1];
dst_fdpath = dst = argv[2];
if (is_symlink(src)) {
// open source fd
src_fd = open(src, O_PATH | O_CLOEXEC | O_NOFOLLOW);
if (src_fd < 0)
bail("open(<src>, O_PATH|O_NOFOLLOW)");
// construct fd path
asprintf(&src_fdpath, "/proc/self/fd/%d", src_fd);
}
if (is_symlink(dst)) {
// open target fd
dst_fd = open(dst, O_PATH | O_CLOEXEC | O_NOFOLLOW);
if (dst_fd < 0)
bail("open(<dst>, O_PATH|O_NOFOLLOW)");
// construct fd path
asprintf(&dst_fdpath, "/proc/self/fd/%d", dst_fd);
}
// try to mount
mount(src_fdpath, dst_fdpath, "", MS_BIND, "");
printf("mount(%s, %s, MS_BIND) = %m (%d)\n", src, dst, -errno);
return 0;
}
[-- Attachment #1.4: umount_symlink.c --]
[-- Type: text/x-c, Size: 795 bytes --]
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#define bail(msg) \
do { printf("mount_to_symlink: %s: %m\n", msg); exit(1); } while (0)
int main(int argc, char **argv)
{
struct stat stat = {};
char *mnt, *mnt_fdpath;
int mnt_fd;
if (argc != 2)
bail("need <mount> argument");
mnt = argv[1];
// open mountpoint fd
mnt_fd = open(mnt, O_PATH | O_CLOEXEC | O_NOFOLLOW);
if (mnt_fd < 0)
bail("open(<dst>, O_PATH|O_NOFOLLOW)");
// get fdpaths
asprintf(&mnt_fdpath, "/proc/self/fd/%d", mnt_fd);
// try to mount
umount2(mnt_fdpath, MNT_DETACH);
printf("umount2(%s, MNT_DETACH) = %m (%d)\n", mnt, -errno);
return 0;
}
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2019-12-30 7:30 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-30 5:20 [PATCH RFC 0/1] mount: universally disallow mounting over symlinks Aleksa Sarai
2019-12-30 5:20 ` [PATCH RFC 1/1] " Aleksa Sarai
2019-12-30 7:34 ` Linus Torvalds
2019-12-30 8:28 ` Aleksa Sarai
2020-01-08 4:39 ` Andy Lutomirski
2019-12-30 5:44 ` [PATCH RFC 0/1] " Al Viro
2019-12-30 5:49 ` Aleksa Sarai
2019-12-30 7:29 ` Aleksa Sarai [this message]
2019-12-30 7:53 ` Linus Torvalds
2019-12-30 8:32 ` Aleksa Sarai
2020-01-02 8:58 ` David Laight
2020-01-02 9:09 ` Aleksa Sarai
2020-01-01 0:43 ` Al Viro
2020-01-01 0:54 ` Al Viro
2020-01-01 3:08 ` Al Viro
2020-01-01 14:44 ` Aleksa Sarai
2020-01-01 23:40 ` Al Viro
2020-01-02 3:59 ` Aleksa Sarai
2020-01-03 1:49 ` Al Viro
2020-01-04 4:46 ` Ian Kent
2020-01-08 3:13 ` Al Viro
2020-01-08 3:54 ` Linus Torvalds
2020-01-08 21:34 ` Al Viro
2020-01-10 0:08 ` Linus Torvalds
2020-01-10 4:15 ` Al Viro
2020-01-10 5:03 ` Linus Torvalds
2020-01-10 6:20 ` Ian Kent
2020-01-12 21:33 ` Al Viro
2020-01-13 2:59 ` Ian Kent
2020-01-14 0:25 ` Ian Kent
2020-01-14 4:39 ` Al Viro
2020-01-14 5:01 ` Ian Kent
2020-01-14 5:59 ` Ian Kent
2020-01-10 21:07 ` Aleksa Sarai
2020-01-14 4:57 ` Al Viro
2020-01-14 5:12 ` Al Viro
2020-01-14 20:01 ` Aleksa Sarai
2020-01-15 14:25 ` Al Viro
2020-01-15 14:29 ` Aleksa Sarai
2020-01-15 14:34 ` Aleksa Sarai
2020-01-15 14:48 ` Al Viro
2020-01-18 12:07 ` [PATCH v3 0/2] openat2: minor uapi cleanups Aleksa Sarai
2020-01-18 12:07 ` [PATCH v3 1/2] open: introduce openat2(2) syscall Aleksa Sarai
2020-01-18 12:08 ` [PATCH v3 2/2] selftests: add openat2(2) selftests Aleksa Sarai
2020-01-18 15:28 ` [PATCH v3 0/2] openat2: minor uapi cleanups Al Viro
2020-01-18 18:09 ` Al Viro
2020-01-18 23:03 ` Aleksa Sarai
2020-01-19 1:12 ` Al Viro
2020-01-15 13:57 ` [PATCH RFC 0/1] mount: universally disallow mounting over symlinks Aleksa Sarai
2020-01-19 3:14 ` [RFC][PATCHSET][CFT] pathwalk cleanups and fixes Al Viro
2020-01-19 3:17 ` [PATCH 01/17] do_add_mount(): lift lock_mount/unlock_mount into callers Al Viro
2020-01-19 3:17 ` [PATCH 02/17] fix automount/automount race properly Al Viro
2020-01-30 14:34 ` Christian Brauner
2020-01-19 3:17 ` [PATCH 03/17] follow_automount(): get rid of dead^Wstillborn code Al Viro
2020-01-30 14:38 ` Christian Brauner
2020-01-19 3:17 ` [PATCH 04/17] follow_automount() doesn't need the entire nameidata Al Viro
2020-01-30 14:45 ` Christian Brauner
2020-01-30 15:38 ` Al Viro
2020-01-30 15:55 ` Al Viro
2020-01-19 3:17 ` [PATCH 05/17] make build_open_flags() treat O_CREAT | O_EXCL as implying O_NOFOLLOW Al Viro
2020-01-19 3:17 ` [PATCH 06/17] handle_mounts(): start building a sane wrapper for follow_managed() Al Viro
2020-01-19 3:17 ` [PATCH 07/17] atomic_open(): saner calling conventions (return dentry on success) Al Viro
2020-01-19 3:17 ` [PATCH 08/17] lookup_open(): " Al Viro
2020-01-19 3:17 ` [PATCH 09/17] do_last(): collapse the call of path_to_nameidata() Al Viro
2020-01-19 3:17 ` [PATCH 10/17] handle_mounts(): pass dentry in, turn path into a pure out argument Al Viro
2020-01-19 3:17 ` [PATCH 11/17] lookup_fast(): consolidate the RCU success case Al Viro
2020-01-19 3:17 ` [PATCH 12/17] teach handle_mounts() to handle RCU mode Al Viro
2020-01-19 3:17 ` [PATCH 13/17] lookup_fast(): take mount traversal into callers Al Viro
2020-01-19 3:17 ` [PATCH 14/17] new step_into() flag: WALK_NOFOLLOW Al Viro
2020-01-19 3:17 ` [PATCH 15/17] fold handle_mounts() into step_into() Al Viro
2020-01-19 3:17 ` [PATCH 16/17] LOOKUP_MOUNTPOINT: fold path_mountpointat() into path_lookupat() Al Viro
2020-01-19 3:17 ` [PATCH 17/17] expand the only remaining call of path_lookup_conditional() Al Viro
2020-01-19 3:17 ` [PATCH 1/9] merging pick_link() with get_link(), part 1 Al Viro
2020-01-19 3:17 ` [PATCH 2/9] merging pick_link() with get_link(), part 2 Al Viro
2020-01-19 3:17 ` [PATCH 3/9] merging pick_link() with get_link(), part 3 Al Viro
2020-01-19 3:17 ` [PATCH 4/9] merging pick_link() with get_link(), part 4 Al Viro
2020-01-19 3:17 ` [PATCH 5/9] merging pick_link() with get_link(), part 5 Al Viro
2020-01-19 3:17 ` [PATCH 6/9] merging pick_link() with get_link(), part 6 Al Viro
2020-01-19 3:17 ` [PATCH 7/9] finally fold get_link() into pick_link() Al Viro
2020-01-19 3:17 ` [PATCH 8/9] massage __follow_mount_rcu() a bit Al Viro
2020-01-19 3:17 ` [PATCH 9/9] new helper: traverse_mounts() Al Viro
2020-01-30 14:13 ` [PATCH 01/17] do_add_mount(): lift lock_mount/unlock_mount into callers Christian Brauner
2020-01-19 14:33 ` [RFC][PATCHSET][CFT] pathwalk cleanups and fixes Ian Kent
2020-01-10 23:19 ` [PATCH RFC 0/1] mount: universally disallow mounting over symlinks Al Viro
2020-01-13 1:48 ` Ian Kent
2020-01-13 3:54 ` Al Viro
2020-01-13 6:00 ` Ian Kent
2020-01-13 6:03 ` Ian Kent
2020-01-13 13:30 ` Al Viro
2020-01-14 7:25 ` Ian Kent
2020-01-14 12:17 ` Ian Kent
2020-01-04 5:52 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191230072959.62kcojxpthhdwmfa@yavin.dot.cyphar.com \
--to=cyphar@cyphar.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=dev@opencontainers.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).