From: Kees Cook <keescook@chromium.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: linux-kernel@vger.kernel.org, Sargun Dhillon <sargun@sargun.me>,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Laight <David.Laight@ACULAB.COM>,
Christoph Hellwig <hch@lst.de>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Aleksa Sarai <cyphar@cyphar.com>,
Matt Denton <mpdenton@google.com>, Jann Horn <jannh@google.com>,
Chris Palmer <palmer@google.com>,
Robert Sesek <rsesek@google.com>,
Giuseppe Scrivano <gscrivan@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>, Shuah Khan <shuah@kernel.org>,
netdev@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v6 1/7] net/scm: Regularize compat handling of scm_detach_fds()
Date: Wed, 8 Jul 2020 16:46:04 -0700 [thread overview]
Message-ID: <202007081636.5458B0B@keescook> (raw)
In-Reply-To: <20200707114103.lkfbt3kdtturp42z@wittgenstein>
On Tue, Jul 07, 2020 at 01:41:03PM +0200, Christian Brauner wrote:
> On Mon, Jul 06, 2020 at 01:17:14PM -0700, Kees Cook wrote:
> > Duplicate the cleanups from commit 2618d530dd8b ("net/scm: cleanup
> > scm_detach_fds") into the compat code.
> >
> > Move the check added in commit 1f466e1f15cf ("net: cleanly handle kernel
> > vs user buffers for ->msg_control") to before the compat call, even
> > though it should be impossible for an in-kernel call to also be compat.
> >
> > Correct the int "flags" argument to unsigned int to match fd_install()
> > and similar APIs.
> >
> > Regularize any remaining differences, including a whitespace issue,
> > a checkpatch warning, and add the check from commit 6900317f5eff ("net,
> > scm: fix PaX detected msg_controllen overflow in scm_detach_fds") which
> > fixed an overflow unique to 64-bit. To avoid confusion when comparing
> > the compat handler to the native handler, just include the same check
> > in the compat handler.
> >
> > Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly")
> > Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
>
> Thanks. Just a comment below.
> Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Thanks!
> > include/net/scm.h | 1 +
> > net/compat.c | 55 +++++++++++++++++++++--------------------------
> > net/core/scm.c | 18 ++++++++--------
> > 3 files changed, 35 insertions(+), 39 deletions(-)
> >
> > diff --git a/include/net/scm.h b/include/net/scm.h
> > index 1ce365f4c256..581a94d6c613 100644
> > --- a/include/net/scm.h
> > +++ b/include/net/scm.h
> > @@ -37,6 +37,7 @@ struct scm_cookie {
> > #endif
> > };
> >
> > +int __scm_install_fd(struct file *file, int __user *ufd, unsigned int o_flags);
> > void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm);
> > void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm);
> > int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm);
> > diff --git a/net/compat.c b/net/compat.c
> > index 5e3041a2c37d..27d477fdcaa0 100644
> > --- a/net/compat.c
> > +++ b/net/compat.c
> > @@ -281,39 +281,31 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
> > return 0;
> > }
> >
> > -void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
> > +static int scm_max_fds_compat(struct msghdr *msg)
> > {
> > - struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
> > - int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
> > - int fdnum = scm->fp->count;
> > - struct file **fp = scm->fp->fp;
> > - int __user *cmfptr;
> > - int err = 0, i;
> > + if (msg->msg_controllen <= sizeof(struct compat_cmsghdr))
> > + return 0;
> > + return (msg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
> > +}
> >
> > - if (fdnum < fdmax)
> > - fdmax = fdnum;
> > +void scm_detach_fds_compat(struct msghdr *msg, struct scm_cookie *scm)
> > +{
> > + struct compat_cmsghdr __user *cm =
> > + (struct compat_cmsghdr __user *)msg->msg_control;
> > + unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
> > + int fdmax = min_t(int, scm_max_fds_compat(msg), scm->fp->count);
>
> Just a note that SCM_RIGHTS fd-sending is limited to 253 (SCM_MAX_FD)
> fds so min_t should never ouput > SCM_MAX_FD here afaict.
>
> > + int __user *cmsg_data = CMSG_USER_DATA(cm);
> > + int err = 0, i;
> >
> > - for (i = 0, cmfptr = (int __user *) CMSG_COMPAT_DATA(cm); i < fdmax; i++, cmfptr++) {
> > - int new_fd;
> > - err = security_file_receive(fp[i]);
> > + for (i = 0; i < fdmax; i++) {
> > + err = __scm_install_fd(scm->fp->fp[i], cmsg_data + i, o_flags);
> > if (err)
> > break;
> > - err = get_unused_fd_flags(MSG_CMSG_CLOEXEC & kmsg->msg_flags
> > - ? O_CLOEXEC : 0);
> > - if (err < 0)
> > - break;
> > - new_fd = err;
> > - err = put_user(new_fd, cmfptr);
> > - if (err) {
> > - put_unused_fd(new_fd);
> > - break;
> > - }
> > - /* Bump the usage count and install the file. */
> > - fd_install(new_fd, get_file(fp[i]));
> > }
> >
> > if (i > 0) {
> > int cmlen = CMSG_COMPAT_LEN(i * sizeof(int));
> > +
> > err = put_user(SOL_SOCKET, &cm->cmsg_level);
> > if (!err)
> > err = put_user(SCM_RIGHTS, &cm->cmsg_type);
> > @@ -321,16 +313,19 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
> > err = put_user(cmlen, &cm->cmsg_len);
> > if (!err) {
> > cmlen = CMSG_COMPAT_SPACE(i * sizeof(int));
> > - kmsg->msg_control += cmlen;
> > - kmsg->msg_controllen -= cmlen;
> > + if (msg->msg_controllen < cmlen)
> > + cmlen = msg->msg_controllen;
> > + msg->msg_control += cmlen;
> > + msg->msg_controllen -= cmlen;
> > }
> > }
> > - if (i < fdnum)
> > - kmsg->msg_flags |= MSG_CTRUNC;
> > +
> > + if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
>
> I think fdmax can't be < 0 after your changes? scm_max_fds() guarantees
> that fdmax is always >= 0 and min_t() guarantees that fdmax <= scm->fp->count.
> So the check should technically be :)
You left our your suggestion! :) But, I think you mean "== 0" ?
The check actually comes from the refactoring from commit 2618d530dd8b
("net/scm: cleanup scm_detach_fds") which I mostly copy/pasted into
compat. However, fdmax is an int, and scm->fp->count is signed so it's
possible fdmax is < 0 (but I don't think count can actually ever be <
0), but I don't want to refactor all the types just to fix this boundary
condition. :)
--
Kees Cook
next prev parent reply other threads:[~2020-07-08 23:46 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-06 20:17 [PATCH v6 0/7] Add seccomp notifier ioctl that enables adding fds Kees Cook
2020-07-06 20:17 ` [PATCH v6 1/7] net/scm: Regularize compat handling of scm_detach_fds() Kees Cook
2020-07-07 11:41 ` Christian Brauner
2020-07-08 23:46 ` Kees Cook [this message]
2020-07-06 20:17 ` [PATCH v6 2/7] fs: Move __scm_install_fd() to __receive_fd() Kees Cook
2020-07-07 6:49 ` Christoph Hellwig
2020-07-07 11:45 ` Christian Brauner
2020-07-06 20:17 ` [PATCH v6 3/7] fs: Add receive_fd() wrapper for __receive_fd() Kees Cook
2020-07-07 6:49 ` Christoph Hellwig
2020-07-07 11:49 ` Christian Brauner
2020-07-08 23:48 ` Kees Cook
2020-07-06 20:17 ` [PATCH v6 4/7] pidfd: Replace open-coded partial receive_fd() Kees Cook
2020-07-07 12:22 ` Christian Brauner
2020-07-08 23:49 ` Kees Cook
2020-07-09 6:35 ` Kees Cook
2020-07-09 12:54 ` Christian Brauner
2020-07-06 20:17 ` [PATCH v6 5/7] fs: Expand __receive_fd() to accept existing fd Kees Cook
2020-07-07 12:38 ` Christian Brauner
2020-07-08 23:52 ` Kees Cook
2020-07-06 20:17 ` [PATCH v6 6/7] seccomp: Introduce addfd ioctl to seccomp user notifier Kees Cook
2020-07-07 13:30 ` Christian Brauner
2020-07-09 6:12 ` Kees Cook
2020-07-09 13:08 ` Christian Brauner
2020-07-09 6:17 ` [PATCH v6.1 " Kees Cook
2020-07-09 6:22 ` Kees Cook
2020-07-06 20:17 ` [PATCH v6 7/7] selftests/seccomp: Test SECCOMP_IOCTL_NOTIF_ADDFD Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007081636.5458B0B@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@ACULAB.COM \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=kuba@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mpdenton@google.com \
--cc=netdev@vger.kernel.org \
--cc=palmer@google.com \
--cc=rsesek@google.com \
--cc=sargun@sargun.me \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).