Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp5219971ybx; Sun, 10 Nov 2019 09:06:16 -0800 (PST) X-Google-Smtp-Source: APXvYqwwYTESeb52BKWR9uJlbSk8QnTmUWOMQw7DnRAc5g57oml5/NVjOBgB4jaCEckoA4i/26Dk X-Received: by 2002:a17:906:d96e:: with SMTP id rp14mr18410836ejb.14.1573405576538; Sun, 10 Nov 2019 09:06:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573405576; cv=none; d=google.com; s=arc-20160816; b=fBXoYP2jSuLAtSwtS/Tio8HFs4eck/ioC5bMNBJUYTo4sRjMMExWOwCvrs6HeE1tOI Ffjj2DAzkQKrEgz5BES2D82PZvTH/gT1yIq5KrFL76NXEH0neHUFuK2g7GhnKzFgt47v 1SyydVcraaR8NexhwwwZEdve+TUYJeyv1HUmM2V5NZDQRpI2bvOfSUWAPFU5cVZQu8QR yxnF4GHcPjNv5bCJ6yJHnzBupNq1/LWlnZej+Uh5SIiTZpN6ydo38WXp1paz/FKofXDz W2yYnHVHDxcqiF1BRf8hjvlV6cB3ZGkkIy5AcMgsOC8S3uTWsql1opsOy8Nmy1ugZ5wf IzAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=0PzVIgjOEC95XC9AiiN0pPF2wwQ4AP88JMAOzKY/iqs=; b=pXKWOWgyiK11bb03r6IDE/XxCyHsTe4oNjG21UZYoZsfH8CtaFt3AFGY+c47o4Gwz1 cEtUojMEUzfeG5weCAjfPMQdSkb2S2y2eSY9FLNOH0BvZp2yybvziJhgRdyz/s8ewLH4 snyxvnR7Ow346IAfog3b3Kopi5rB9uHn9aaK/uYvRzdmRtB67u4HlI/STYv6qHuz33Vh 0JV621jxUrGBTziXwD3xZKQqvVHPbszOnvBKMKouhKHsdCDmeO6AuWSrsamVWz9BP6KB kFkHEYkNhlVa7eCS/vasqiRBuQ5uWqjmS96Jg2Jrt65fkOYpdd/twmOJWUMqoG9A2bNr Kx/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pNmP89t6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h17si7701104ejy.239.2019.11.10.09.05.50; Sun, 10 Nov 2019 09:06:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pNmP89t6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726896AbfKJRDA (ORCPT + 99 others); Sun, 10 Nov 2019 12:03:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:51260 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726651AbfKJRDA (ORCPT ); Sun, 10 Nov 2019 12:03:00 -0500 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5CF3021783 for ; Sun, 10 Nov 2019 17:02:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573405378; bh=pSeXm6yKPXM8KICy539nNqlx3ZoB9BmuMvt3DzyzaJg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=pNmP89t6/3UltSEaHmzEQcrSsB8eq0QVowXgCBrc3HTK67lAI9Ph5+ymiuklkhBpS OIJi/bNCyvWlF2k1fqGYjLZidYsNDT0jzTKP2sxTKR2nn3TCQQDdfgL8m7BmHo+0XP 53CgO/Rnm+lCwF8CnomAZYLoJJ1K9jEHVwHEJrrI= Received: by mail-wr1-f43.google.com with SMTP id r10so12137281wrx.3 for ; Sun, 10 Nov 2019 09:02:58 -0800 (PST) X-Gm-Message-State: APjAAAXyWY36Q3jhftgf9Q6rleoapQADRlI7Eg+L4YHTgXeb7DfO1meW i9dNYu2s1v1W//MgAjJPHYTfvAkj11Qe0Cnq8bwx1A== X-Received: by 2002:a5d:490b:: with SMTP id x11mr14759004wrq.111.1573405376752; Sun, 10 Nov 2019 09:02:56 -0800 (PST) MIME-Version: 1.0 References: <1572967777-8812-1-git-send-email-rppt@linux.ibm.com> <1572967777-8812-2-git-send-email-rppt@linux.ibm.com> <20191105162424.GH30717@redhat.com> <20191107083902.GB3247@linux.ibm.com> <20191107153801.GF17896@redhat.com> <20191107182259.GK17896@redhat.com> In-Reply-To: <20191107182259.GK17896@redhat.com> From: Andy Lutomirski Date: Sun, 10 Nov 2019 09:02:45 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/1] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK To: Andrea Arcangeli Cc: Daniel Colascione , Mike Rapoport , Andy Lutomirski , linux-kernel , Andrew Morton , Jann Horn , Linus Torvalds , Lokesh Gidra , Nick Kralevich , Nosh Minwalla , Pavel Emelyanov , Tim Murray , Linux API , linux-mm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 7, 2019 at 10:23 AM Andrea Arcangeli wrote: > > On Thu, Nov 07, 2019 at 08:15:53AM -0800, Daniel Colascione wrote: > > You're already paying for bounds checking. Receiving a message via a > > datagram socket is basically the same thing as what UFFD's read is > > doing anyway. > > Except it's synchronous and there are no dynamic allocations required > in uffd, while af_netlink and af_unix both all deal with queue of > events in skbs dynamically allocated. > > Ultimately if we strip away the skbs for performance reasons, there > wouldn't be much code to share, so if the only benefit would be to > call recvmsg which would still be as insecure as read for the "worse" > case than suid, so I don't see the point. Not sure what you mean. > > And should then eventfd also become a netlink then? I mean uffd was > supposed to work like eventfd except it requires specialized events. No. None of this even means that these objects should be sockets per se. The point is that anyone who calls recvmsg() and passes a control buf *must* handle SCM_RIGHTS because even very old Unixes can materialize file descriptors. The only exception is if the program knows a priori that the fd refers to a socket that can't use SCM_RIGHTS. In other words, failing to handle file descriptors returned by recvmsg() is an application bug. Failing to handle file descriptors returned by read() is not an application bug -- it's a kernel bug. > > If you call it with a non-empty ancillary data buffer, you know to > > react to what you get. You're *opting into* the possibility of getting > > file descriptors. Sure, it's theoretically possible that a program > > calls recvmsg on random FDs it gets from unknown sources, sees > > SCM_RIGHTS unexpectedly, and just the SCM_RIGHTS message and its FD > > payload, but that's an outright bug, while calling read() on stdin is > > no bug. > > I'm not talking about stdin and suid. recvmsg might mitigate the > concern for suid (not certain, depends on the suid, if it's generally > doing what you expect most suid to be doing or not), I was talking > about the SCM_RIGHTS receiving daemon instead, the "worse" more > concerning case than the suid. > > I quote below Andy's relevant email: > > ====== > It's worse if SCM_RIGHTS is involved. > ====== > > Not all software will do this after calling recvmsg: > > if (cmsg->cmsg_type == SCM_RIGHTS) { > /* oops we got attacked and an fd was involountarily installed > because we received another AF_UNIX from a malicious attacker > in control of the other end of the SCM_RIGHTS-receiving > AF_UNIX connection instead of our expected socket family > which doesn't even support SCM_RIGHTS so we would never have > noticed an fd was installed after recvmsg */ > } > You've misunderstood what you're quoting me as saying. I'm saying that the issue is worse if you pass the userfaultfd via SCM_RIGHTS to an unsuspecting program. It is perfectly valid to receive a file descriptor via SCM_RIGHTS and then call read(), at least so long as you are okay with potentially blocking. If you receive a fd to a socket using SCM_RIGHTS and then you fail to check cmsg_type as above, then you have a bug regardless of userfaultfd. --Andy