Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3156366ybl; Sun, 26 Jan 2020 21:07:36 -0800 (PST) X-Google-Smtp-Source: APXvYqwSrcibOJDROmuDpmr8SNYeNUhH//ksrOCe/YxWg22iY1zBYyGggfz0mHuALkrz4bMq5tsK X-Received: by 2002:a9d:6510:: with SMTP id i16mr10719852otl.142.1580101656492; Sun, 26 Jan 2020 21:07:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580101656; cv=none; d=google.com; s=arc-20160816; b=R2TDUYs81hxn3JvZtG5VXeaCyOcGt5Z8s72UoXHLPaSydBeOGsRMI6FRJcnPC3Uwii dcBoThPm4gCPgM/vSHVlcCY8MkYw+wg8oXQOEMC6qSSTQ1YFBwFV8zbBhB6tKqpnJMA0 NNolhJtetBHW6NWCMoTfHr5gu/Lmeua+g2JOEeUQ9m2cQ69SjtXP23M+o9yjuBu7N6Y8 l8UM3xj3T2Ik+O1zTb5DeUaSwDi97b9cBIVzSY+VtC9UrHm5KNKv3VjvSue6StWv0Iee c5ENmZ2sP6cjZ3cAwb3IL9lnSFy0zu+qZReaojhWHELln+SHe2EfYGtxjw69l9LUzRJk aofQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=8T3JDpxBE2PuzGuLciOyK1XdDOMf7MGFDmAy+zMLvQY=; b=mVpb51+0yK6d7lP3fOArJjf3hPENxv4eX5zlEdVFfCBDgWGz5y7wa+0VHKUHB6XVd3 LJu4FvlPUwimau7mcgXHXmFiuv/q7xrBrhKRyVmudwIdsrFwYUyfQ0wXijmqBPkQbg8z 6JsKZNk552hbY7vbSMEwOfMMfJSLwAgQyVb7rrerSN2vojWec4eBRaTo1+aMIfD4psqa QRkNbrosqSB8RFmSA3qL2HHpCVkX+yQVW4NglmmtI2qp3kwhZ/WzLMQuCazwHeuUbYRL cabJTRGo/JVD3iTf79jg0gWWeoGUtR0UCbWw/KG7q3B2D0Q24tGXZ4y7viwIqwpWOVLT Rbeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=pF+vNJbJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t4si6454886otc.160.2020.01.26.21.07.24; Sun, 26 Jan 2020 21:07:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=pF+vNJbJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726911AbgA0FGb (ORCPT + 99 others); Mon, 27 Jan 2020 00:06:31 -0500 Received: from mail-il1-f194.google.com ([209.85.166.194]:42570 "EHLO mail-il1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725775AbgA0FGa (ORCPT ); Mon, 27 Jan 2020 00:06:30 -0500 Received: by mail-il1-f194.google.com with SMTP id x2so2738376ila.9 for ; Sun, 26 Jan 2020 21:06:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=8T3JDpxBE2PuzGuLciOyK1XdDOMf7MGFDmAy+zMLvQY=; b=pF+vNJbJ0EtML4m5uQzN+qes0p+UYwzmj9aI3bkvvBs0Rl8aydvz1JMnKMNFu/Mbsj 9RZat21omjBpJ6qMIf1jl3jH9nHWXOuTr3xJkuRA8o/uhTrORJwfmcGh8bSVlANt0rWY tzkSr0LG2JOa4DcN5Hc2cdCoPgpPqBeO/CVsc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=8T3JDpxBE2PuzGuLciOyK1XdDOMf7MGFDmAy+zMLvQY=; b=HHoeOEy64InOWjE6sekJZcYi6QPxKIE6mTUWxwTcvxsdVTOpl7fmqwM6+yb/dmv2PF zDEs05B67joTVIKJ/H7KW8lY+UkTKuB1Y2PmP8w99bEEbsf3fdTalsiQ8NtiuP5evhbb GA7XiKbotIOBTssT7zV2DwUDM5Caw2Cdbv02btVtIojrNp63QHfsGfQCWvoDtfQBVeYo 2JJhmZ0matljrCCG6QiQOBwKsDsb3OrUtRuZZfKOJtyewqENMO0xyPSft+PyxUnCOTZg fChc9WjWyPQrUHPeDLJ1s8Q3+Iffw9VU574krNvVnI+GqmhOGCMc3IEhEzVohkzfbVsE dnyw== X-Gm-Message-State: APjAAAXdEtwgkOxFETkTPQf7Z5MZ1huE+DL/yUcxRmWjAQnXIvlM4PMB 4xR4OyozJjdmlzv8xTIL92IKKw== X-Received: by 2002:a92:d3cc:: with SMTP id c12mr13807584ilh.266.1580101590015; Sun, 26 Jan 2020 21:06:30 -0800 (PST) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id b12sm3185583ion.83.2020.01.26.21.06.29 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 26 Jan 2020 21:06:29 -0800 (PST) Date: Mon, 27 Jan 2020 05:06:28 +0000 From: Sargun Dhillon To: Aleksa Sarai Cc: Aleksa Sarai , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, christian.brauner@ubuntu.com Subject: Re: [PATCH 3/4] seccomp: Add SECCOMP_USER_NOTIF_FLAG_PIDFD to get pidfd on listener trap Message-ID: <20200127050627.GA21575@ircssh-2.c.rugged-nimbus-611.internal> References: <20200124091743.3357-1-sargun@sargun.me> <20200124091743.3357-4-sargun@sargun.me> <20200126040325.5eimmm7hli5qcqrr@yavin.dot.cyphar.com> <20200126041439.liwfmb4h74zmhi76@yavin.dot.cyphar.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200126041439.liwfmb4h74zmhi76@yavin.dot.cyphar.com> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jan 26, 2020 at 03:14:39PM +1100, Aleksa Sarai wrote: > On 2020-01-26, Aleksa Sarai wrote: > > On 2020-01-24, Sargun Dhillon wrote: > > > static long seccomp_notify_recv(struct seccomp_filter *filter, > > > void __user *buf) > > > { > > > struct seccomp_knotif *knotif = NULL, *cur; > > > struct seccomp_notif unotif; > > > + struct task_struct *group_leader; > > > + bool send_pidfd; > > > ssize_t ret; > > > > > > + if (copy_from_user(&unotif, buf, sizeof(unotif))) > > > + return -EFAULT; > > > /* Verify that we're not given garbage to keep struct extensible. */ > > > - ret = check_zeroed_user(buf, sizeof(unotif)); > > > - if (ret < 0) > > > - return ret; > > > - if (!ret) > > > + if (unotif.id || > > > + unotif.pid || > > > + memchr_inv(&unotif.data, 0, sizeof(unotif.data)) || > > > + unotif.pidfd) > > > + return -EINVAL; > > > > IMHO this check is more confusing than the original check_zeroed_user(). > > Something like the following is simpler and less prone to forgetting to > > add a new field in the future: > > I'm all for this, originally my patch read: __u32 flags = 0; swap(unotif.flags, flags); if (memchr(&unotif, 0, sizeof(unotif)) return -EINVAL; --- And then check flags appropriately. I'm not sure if this is "better", as I didn't see any other implementations that look like this in the kernel. What do you think? It could even look "simpler", as in: __u32 flags; if (copy_from_user(....)) return -EFAULT; flags = unotif.flags; unotif.flags = 0; if (memchr_inv(&unotif, 0, sizeof(unotif))) return -EINVAL; Are either of those preferential, reasonable, or at a minimum inoffensive? > > if (memchr_inv(&unotif, 0, sizeof(unotif))) > > return -EINVAL; > Wouldn't this fail if flags was set to any value? We either need to zero out flags prior to checking, or split it into range checks that exclude flags. > Also the check in the patch doesn't ensure that any unnamed padding is > zeroed -- memchr_inv(&unotif, 0, sizeof(unotif)) does. > > -- > Aleksa Sarai > Senior Software Engineer (Containers) > SUSE Linux GmbH >