Received: by 10.223.185.116 with SMTP id b49csp5228322wrg; Wed, 7 Mar 2018 08:19:26 -0800 (PST) X-Google-Smtp-Source: AG47ELvF7h28rOt7Ve2ZsF2Mv8bPhxwxBcjbNiDByTUd4zB4R1VDqQpCEepymJK8HMe8JmpjOoU4 X-Received: by 2002:a17:902:9686:: with SMTP id n6-v6mr13030770plp.331.1520439565915; Wed, 07 Mar 2018 08:19:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520439565; cv=none; d=google.com; s=arc-20160816; b=FeRzuY8c1b3/ZiV6HgLNhS3pVmS6fNkXob0Wfb8Ela/Pa19gE9WXhMSgxURmvbo6JN 26V6IQ6X9+v1Rn/m0GfUofsJO1zxkmXj/xNn8K5U2uElqZZEF9qrHvYEDSNXT0rAC9oy A1LBsb8fRv9hAYy8sXT7+yAXq1gKN0uiE2Yxkwaoo2mey8CbX4fgo5reEaVBWi5DESuu OEcO4Mo8wRIJA+UtGR7iYed924XWCmY6RJiGnhia6qfHCmez5/ECpdO/pRo9epw/k17U 7nyEYE7C9DvlXfF2H7X1UpR2Dq0UcM1NWSEWbT3P4RnwzSf3I/rBquTCKsXGB04Ud6m0 LL9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-transfer-encoding :content-disposition:mime-version:message-id:subject:to:date:from :arc-authentication-results; bh=BUyJbks+aT3DxmwWCG0mv5ElfX221VOVLSgsVjCxW8E=; b=rRDu03svg/ioapGH2HK5WF8VMj3C22icCmXVflUpBWxIbbsGArM128cFI0K4u5Nxq1 WEdpaq7Xdnl/DBnDYE7qZGECtq+FnUuNIk+biq5QiXZ9+xHPfT2Rt6pSz0CCP8a/g9lZ DvCSnZAVXjFMeyIuidrLqtLz7upfmBvpYtU8zrfCjuBEaNlzIiL8yTTGXdCpK7zvZaJH kuuHdc5lT0wNTjDg6nRtaq1DMLtTgnhll1IjAc60rEhQSWSYX6PBdZj9FcJBsjD4e25X mlow18ThKlbi0DmvIwAxY4LUuAypSdiwPCYE0L55MvMNXWQ/Rh7d8P8jZNFqdHI7x1TA Hn5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k74si14130854pfb.216.2018.03.07.08.19.10; Wed, 07 Mar 2018 08:19:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933944AbeCGQRu (ORCPT + 99 others); Wed, 7 Mar 2018 11:17:50 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:59643 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933502AbeCGQRt (ORCPT ); Wed, 7 Mar 2018 11:17:49 -0500 Received: from mail-wm0-f70.google.com ([74.125.82.70]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1etblE-0000mX-3e for linux-kernel@vger.kernel.org; Wed, 07 Mar 2018 16:17:48 +0000 Received: by mail-wm0-f70.google.com with SMTP id u68so1304666wmd.5 for ; Wed, 07 Mar 2018 08:17:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:subject:message-id:mime-version :content-disposition:content-transfer-encoding:user-agent; bh=BUyJbks+aT3DxmwWCG0mv5ElfX221VOVLSgsVjCxW8E=; b=IxkSacw+8EDsw7KfRPG5pvI2DfIe7TZT1JO8w6IdXcIaS+aswb3EQkZc8XjJ4cDMTf 8xi6LJg4I42qRexEZz9gkficJYGYzc0x/Bhc1kW0jJ8u5GnL3iZdtESsIW6xPyWKEwdX 7lNkHvWho/hC/EgRLYMyLhYk6hgnWcz4yEw08E1+dY2kqyxkugt3F791AZFfm5rsd9Cz Y2oM1ORWR+CyvGM5jaIiSh3s15ZArPnqvZog9f50NhCJD/2AxeUaR1G9u95eLFuwNBPd Mbm1CuXZNBcJ84yCS7s2weIS2/2nvi2EJXmB3wHJsyLLBPHwTvsHgaXb1lrXSnai3RIA hzlA== X-Gm-Message-State: APf1xPBj6AqjHtVuWaBoU1rKFLgk5DFOfJtb5APUO7LJBse/OFw/Uu9T fG7pAcaOKB3Yd3w8p9dS1kVeWQnGumIJgqsLM2ZGxhs6gYeVMynLvHO8S5+pQ7x8wjyCmyrY87t wH8M+hZLZp8EGeAGk9GCWtePING7/xLClJW7R0+/I/g== X-Received: by 10.223.142.5 with SMTP id n5mr21093077wrb.28.1520439467522; Wed, 07 Mar 2018 08:17:47 -0800 (PST) X-Received: by 10.223.142.5 with SMTP id n5mr21093062wrb.28.1520439467287; Wed, 07 Mar 2018 08:17:47 -0800 (PST) Received: from gmail.com ([37.220.133.201]) by smtp.gmail.com with ESMTPSA id g78sm16201601wmc.31.2018.03.07.08.17.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 07 Mar 2018 08:17:46 -0800 (PST) From: Christian Brauner X-Google-Original-From: Christian Brauner Date: Wed, 7 Mar 2018 17:17:45 +0100 To: linux-kernel@vger.kernel.org, ebiederm@xmission.com, torvalds@linux-foundation.org Subject: Invalid /proc//fd/{0,1,2} symlinks with TIOCGPTPEER Message-ID: <20180307161744.GA17562@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hey, We discovered a potential bug in the devpts implementation via TIOCGPTPEER ioctl()s today. We've tackled a similar problem already in: commit 311fc65c9fb9c966bca8e6f3ff8132ce57344ab9 Author: Eric W. Biederman Date: Thu Aug 24 15:13:29 2017 -0500 pty: Repair TIOCGPTPEER Most libcs will *still* look at /dev/ptmx when opening the master fd of pty device. Usually, /dev/ptmx will nowadays be either a symlink to /dev/pts/ptmx or it will be a second device node with permissions 666 whereas /dev/pts/ptmx will usually have permissions 000. Afaik, we've also always supported making /dev/ptmx a bind-mount to /dev/pts/ptmx or at least I haven't observed any issues with this so far and it's something fairly common in containers. So in short, it should be legal to do: mount --bind /dev/pts/ptmx /dev/ptmx chmod 666 /dev/ptmx However, for any libc implementation or program that uses TIOCGPTPEER the /proc//fd/{0,1,2} symlinks are broken (currently affects at least glibc 2.27) with bind-mounts of /dev/pts/ptmx to /dev/ptmx. A quick reproducer is: unshare --mount mount --bind /dev/pts/ptmx /dev/ptmx chmod 666 /dev/ptmx script ls -al /proc/self/fd/0 Let's assume the slave device index I received was 5 then I would expect to see: ls -al /proc/self/fd/0 lrwx------ 1 chb chb 64 Mar 7 16:41 /proc/self/fd/0 -> /dev/pts/5 But what I actually see is: ls -al /proc/self/fd/0 lrwx------ 1 chb chb 64 Mar 7 16:41 /proc/self/fd/0 -> / I think the explanation for this is fairly straightforward. When userspace does: master = open("/dev/ptmx", O_RDWR | O_NOCTTY); slave = ioctl(master, TIOCGPTPEER, O_RDWR | O_NOCTTY); and /dev/ptmx is a bind-mount of /dev/pts/ptmx looking up the root mount of the dentry for the slave it appears to the kernel as if the dentry is escaping it's bind-mount: ├─/dev udev devtmpfs rw,nosuid,relatime,size=4001260k,nr_inodes=1000315,mode=755 │ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 │ └─/dev/ptmx devpts[/ptmx] devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 since the root mount of the dentry is /dev/pts but the root mount of /dev/ptmx is /dev if I'm correct so similar to what Linus pointed out in a previous discussion (see [1]) before. So we still record the "wrong" vfsmount when /dev/ptmx is a bind-mount and then hit the problem when we call devpts_mntget() in drivers/tty/pty.c. So I thought about this and - in case my analysis is correct - the solution didn't seem obvious to me as a bind-mount has no concept of what it's "parent" is (Which in this case should be the devpts mount at /dev/pts.). Christian [1]: https://lkml.org/lkml/2017/8/23/826