Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1680108imm; Sat, 13 Oct 2018 01:23:10 -0700 (PDT) X-Google-Smtp-Source: ACcGV633vYIE5hiIRkAOPheqsP1G58IvU5xoX7BO+YwWZWR9FRnhBw56GQ8kwJ4r7vxfyaBswu3F X-Received: by 2002:a62:d582:: with SMTP id d124-v6mr9379745pfg.31.1539418990172; Sat, 13 Oct 2018 01:23:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539418990; cv=none; d=google.com; s=arc-20160816; b=fWcZacq8WUUOfWfPFbxvHoQwxebDMtWXO1pSL5OLejThM9VB749jZQM1cN/2o3Ir4R 37MTqLDg2TzFO06lHaHPiPKsmFNxlSd2hrFFf65p5e/vW8RVhIOE64S8A57j6AAgAPMT 4eiJLSIPlLhIRUVTcL7pMYlZUMkYv2uWu1OSLruL6EpBw41lZUazgNWZt2pCqqymGpbw IIjcy1h+gcvTS6NLKSfBPPc7Bhu41eNNEWBDVImNBW4fZcE/s4HLo8y/waqNlvsuJabd yMvcAKxNDP35MJSTJN45AqsiHRcWyxcTIVIxeW2G5q8gLEQkHUpsbD6qLKDew0Aqzxks AqfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=CplOhJ61Q8PDGuuYzoI+YxJblyQRORGBvEfqknQxnhk=; b=Lx7sRzkS308eREtBnM3J8ZFD1vGoRaMzfXkrksji7rCnHAfR//S6G0CRtTC0QYccSy bEMZQpZ7cI2VtMnZeAY23dRN8UTfcLFoMyml6ets9/je0NC3iqZnB9+67dlIHjcX5o6G h9XfwcEfa5pGp0dzX63F51QOj9VM5Em8U5iZ5UUaRMp4It9giNCAQqQ9nY7u9t247ydO sEIYGi9Wu9MdAkx1rFfZe6O3M3MCK/SkEWpZrnKgX/Ph6CNtK1xu/FYraxy16C3e/HAs tOLba3U1VHz4myoYFfNIGwUoq5vNndhN9ph90xrbgDx3RGBMkSOAZXbiUud/HcOSryfc xQQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e62-v6si4109413pfe.31.2018.10.13.01.22.55; Sat, 13 Oct 2018 01:23:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726831AbeJMP6n (ORCPT + 99 others); Sat, 13 Oct 2018 11:58:43 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:48402 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726707AbeJMP6n (ORCPT ); Sat, 13 Oct 2018 11:58:43 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.90_1 #2 (Red Hat Linux)) id 1gBFBa-0005qw-GX; Sat, 13 Oct 2018 08:22:10 +0000 Date: Sat, 13 Oct 2018 09:22:10 +0100 From: Al Viro To: Aleksa Sarai Cc: Jann Horn , cyphar@cyphar.com, "Eric W. Biederman" , jlayton@kernel.org, Bruce Fields , Arnd Bergmann , Andy Lutomirski , David Howells , christian@brauner.io, Tycho Andersen , David Drysdale , dev@opencontainers.org, containers@lists.linux-foundation.org, linux-fsdevel@vger.kernel.org, kernel list , linux-arch , Linux API Subject: Re: [PATCH v3 3/3] namei: aggressively check for nd->root escape on ".." resolution Message-ID: <20181013082210.GU32577@ZenIV.linux.org.uk> References: <20181009070230.12884-1-cyphar@cyphar.com> <20181009070230.12884-4-cyphar@cyphar.com> <20181009153728.2altaqxclntvyc7b@mikami> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181009153728.2altaqxclntvyc7b@mikami> User-Agent: Mutt/1.9.1 (2017-09-22) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 10, 2018 at 02:37:28AM +1100, Aleksa Sarai wrote: > > > +static inline int nd_alloc_dpathbuf(struct nameidata *nd) > > > +{ > > > + if (unlikely(!nd->dpathbuf)) { > > > + if (nd->flags & LOOKUP_RCU) { > > > + nd->dpathbuf = kmalloc(PATH_MAX, GFP_ATOMIC); > > > + if (unlikely(!nd->dpathbuf)) > > > + return -ECHILD; > > > + } else { > > > + nd->dpathbuf = kmalloc(PATH_MAX, GFP_KERNEL); > > > + if (unlikely(!nd->dpathbuf)) > > > + return -ENOMEM; > > > + } > > > + } > > > + return 0; > > > +} > > > > Note that a fixed-size path buffer means that if the path is very > > long, e.g. because you followed long symlinks on the way down, this > > can cause lookup failures. > > This is already an issue with __d_path (even if the buffer was larger) > because it will not output a path longer than PATH_MAX. I imagine this > is a pretty strong argument for why we should refactor __d_path so that > we can *just* use the escape checking to avoid -ENAMETOOLONG. Let me get it straight - the whole point of that buffer is to check if __d_path() returns NULL? So you allocate it so that you would have place to copy the path components into... only to have them completely ignored? How is that different from path_is_under()?