Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp851170imm; Tue, 5 Jun 2018 05:35:24 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLLZFDqIJQ6/Z4uE1TJsWF0fW+CSdclKua8xvGNOS5i8UPjh6yKZBWlSrn8RLS33H5+EUi/ X-Received: by 2002:a63:ae43:: with SMTP id e3-v6mr20228755pgp.181.1528202124520; Tue, 05 Jun 2018 05:35:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528202124; cv=none; d=google.com; s=arc-20160816; b=rTUXadFtuIho+WBhxe1DzgyXQUH9Yl/MEgLf1drgVITgLKJXyREP7zAdC21qGq1y7O gPH+WhRHMUw/6APoTJ3FDvsnKkgGnAucQ2B1UjSpfUzWUBUR9Np92Ya4OQ7l1NIdXDR7 qYsm9INs+dfrGnDoh8+rNFjjpz6wlesW4/JJXR3q2FEFFSnexJ/Npj2XVuIu/ITOoPsI H7RFiZ/Siu1/BcPFKJ5a3A/skBvVVa1zLPzCZ8bhgTvSTNjzxm6bKHBFruLY71VscyYJ 8LJmgQgQ0IPBPMXIJR+tZ8EGHO3cualp3z6kWzO9fps1JL5K/faaz8d+vFKz7bf0BHUD byJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=Qc6yOckui62MnD7hFDFdcjrXBWPY39wU/ETy7r8wckw=; b=uX9iXaSWjhjtNch/oRE9EfC1Xz6DC79/9q2GuWC6XEiH3Gemtf/U6dTCJw3T2d4zfo RGYhAn0CINC87Qhh6dKs+BUqWud0YScYWp38Xwce055HUS9kCq9l5WBK/PImL/M/IHnX A4USEXr0uQoCO082mQLBQgPmZyIt0HeDcQcOJgVd2EYmkx1bbRenAWlHYPnfxq3btTvx 6qrL6sv2CTbVJvDposUv+Odss3IULdgP6MdikdqyvrMSfht5SRGm1IPtseA8DuAngWf/ 9VecFtQ9zRk6UNfiGhZ3sIaxuITHp2KXqKw3fnSqhdiqk0b3MXC8vhzVmh8Lm/VFd4Q9 QQaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t20-v6si10839244plr.240.2018.06.05.05.35.10; Tue, 05 Jun 2018 05:35:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752130AbeFEMeM (ORCPT + 99 others); Tue, 5 Jun 2018 08:34:12 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:33758 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751718AbeFEMeK (ORCPT ); Tue, 5 Jun 2018 08:34:10 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.87 #1 (Red Hat Linux)) id 1fQBA9-0006vI-By; Tue, 05 Jun 2018 12:34:09 +0000 Date: Tue, 5 Jun 2018 13:34:09 +0100 From: Al Viro To: Ilya Matveychikov Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH] ksys_mount: check for permissions before resource allocation Message-ID: <20180605123409.GP30522@ZenIV.linux.org.uk> References: <20180605112641.GN30522@ZenIV.linux.org.uk> <1E519BA2-4198-4255-BAE4-3125C59741A3@gmail.com> <20180605115340.GO30522@ZenIV.linux.org.uk> <0F38EDA5-DEC3-48A1-9375-47949C26DAE8@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0F38EDA5-DEC3-48A1-9375-47949C26DAE8@gmail.com> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 05, 2018 at 04:07:15PM +0400, Ilya Matveychikov wrote: > > If you depend upon preventing kmalloc'ed temporary allocations filled > > with user-supplied data, you are screwed, plain and simple. It really can't > > be prevented, in a lot of ways that are much less exotic than mount(2). > > Most of syscall arguments are copied in, before we get any permission > > checks. It does happen and it will happen - examining them while they are > > still in userland is a nightmare in a lot of respects, starting with > > security. > > I agree that it’s impossible to completely avoid this kind of allocations > and examining data in user-land will be the bigger problem than copying > arguments to the kernel. But aside of that what’s wrong with the idea of > having the permission check before doing any kind of work? Presenting that as mitigating a vulnerability. It's neither better nor worse in that respect than the original.