From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB790C433DF for ; Sat, 30 May 2020 13:58:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8E9D6206A1 for ; Sat, 30 May 2020 13:58:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729021AbgE3N6g (ORCPT ); Sat, 30 May 2020 09:58:36 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:48282 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728769AbgE3N6f (ORCPT ); Sat, 30 May 2020 09:58:35 -0400 Received: from ip5f5af183.dynamic.kabel-deutschland.de ([95.90.241.131] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jf20K-0008Tw-Cb; Sat, 30 May 2020 13:58:28 +0000 Date: Sat, 30 May 2020 15:58:27 +0200 From: Christian Brauner To: Jann Horn Cc: Kees Cook , Sargun Dhillon , Linux Containers , Aleksa Sarai , Jeffrey Vander Stoep , Linux API , kernel list , Chris Palmer , Robert Sesek , Tycho Andersen , Matt Denton , Al Viro Subject: Re: [PATCH v2 2/3] seccomp: Introduce addfd ioctl to seccomp user notifier Message-ID: <20200530135827.cxltfmiqara4yaki@wittgenstein> References: <20200528110858.3265-1-sargun@sargun.me> <20200528110858.3265-3-sargun@sargun.me> <202005282345.573B917@keescook> <20200530011054.GA14852@ircssh-2.c.rugged-nimbus-611.internal> <202005291926.E9004B4@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 30, 2020 at 05:17:24AM +0200, Jann Horn wrote: > On Sat, May 30, 2020 at 4:43 AM Kees Cook wrote: > > I mean, yes, that's certainly better, but it just seems a shame that > > everyone has to do the get_unused/put_unused dance just because of how > > SCM_RIGHTS does this weird put_user() in the middle. > > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we > > move the put_user() after instead? > > Honestly, I think trying to remove file descriptors and such after > -EFAULT is a waste of time. If userspace runs into -EFAULT, userspace Agreed, we've never bothered with trying to recover from EFAULT. Just look at kernel/fork.c:_do_fork(): if (clone_flags & CLONE_PARENT_SETTID) put_user(nr, args->parent_tid); we don't even bother even though we technically could. > is beyond saving and can't really do much other than exit immediately. > There are a bunch of places that will change state and then throw > -EFAULT at the end if userspace supplied an invalid address, because > trying to hold locks across userspace accesses just in case userspace > supplied a bogus address is kinda silly (and often borderline > impossible). > > You can actually see that even scm_detach_fds() currently just > silently swallows errors if writing some header fields fails at the > end. There's really no point in trying to save a broken scm message imho.