Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp314315ybg; Wed, 10 Jun 2020 01:17:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJydWMflW+/k834G0pvUndD1c9YEtpILGzvAd4lSf5KwqldUqj6OBpj+kqdmlh4f7yGtdbia X-Received: by 2002:aa7:c3d7:: with SMTP id l23mr1452247edr.264.1591777044870; Wed, 10 Jun 2020 01:17:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591777044; cv=none; d=google.com; s=arc-20160816; b=k6dZn8A3lvIqYRYletBwzWqSMiv9vDSwhYud+IJytk+4S6fE/y0fa1qmKJo1D8Sz03 9v98CNNqShS7IptP1P0OOC0SU1IdB9QDZ3yIM/8ZuzBstY5x0lt/3a0cEhfiGZCraAIO 4il93IXmCkcHoSI6R1S2YGdrYR/7cPyonUjSCe/iTfvnwhlo9GKrBaKKit9YzbMIF3om /Mkkn5YGlO6BMj1Q136SBH3fASN28USuI/gti8T5RBYX292K/M1JZpxs8sNCKIQ4PlGH egk3jcwmD7mwvjyU0uqkFSv7mKNjFrJ6fX3ruokvqBKpx5DQ2Zun+4ny3sTtMszTDnpJ mh/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=RQkLDm2OyY/FS3M4wUNUpYL3uyFZaGvTTxUYnj5+5u0=; b=rGDIaVB/ajgBy3H2Q8LZVcD589duxGhLhCJPlOHVVLTz7z5SVBucWNNX3E+X943g8E RxXTDuiuxgRXijPKzqc9TGxeMXzyO2s9NnP4s8Cbqv+LTzgKh42M4PBpqsY6DyE1brT2 pqUFBJexFcqxpDZ6d8c5nSjwYp44Fn4NuISuwguhYNYlfTwubPJelbemEMYn0PMmuzBC U4jkW4a1b21xr/hMYB7qHuRfPDCaZ8ZPJFrEXeolXpKEVuVrlh+0zat8xGM2X0Q9Zq43 Nx2PnAbdfU5DI5Pvhmi8371Lu4eLEoDJppoCf+CuQv3YMEnaQLHJGTAdZCO5w8xSslFg pKIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=nI03ANMd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jp23si11633300ejb.749.2020.06.10.01.17.01; Wed, 10 Jun 2020 01:17:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=nI03ANMd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726603AbgFJIMo (ORCPT + 99 others); Wed, 10 Jun 2020 04:12:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726506AbgFJIMn (ORCPT ); Wed, 10 Jun 2020 04:12:43 -0400 Received: from mail-il1-x142.google.com (mail-il1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 670F7C08C5C1 for ; Wed, 10 Jun 2020 01:12:43 -0700 (PDT) Received: by mail-il1-x142.google.com with SMTP id x18so1072624ilp.1 for ; Wed, 10 Jun 2020 01:12:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=RQkLDm2OyY/FS3M4wUNUpYL3uyFZaGvTTxUYnj5+5u0=; b=nI03ANMd7aBQf/IJrmaOWgFbNKk87eTPdr17BZT0Q368D+WxFJkHvpDctCS/hVgbyT kVsyxxlLofq2LzBHJQHeL5sgW4BdwA/8TjesGJxuPUVxCVXjgL0xnTX8DntCK/Y5ZijX psuGxMlO5RjaN5LuNj5pokTZLwnbyC0KnIpO8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=RQkLDm2OyY/FS3M4wUNUpYL3uyFZaGvTTxUYnj5+5u0=; b=MHCLfPmzkag2z42o+g71rT7pHfaYb95Bxp4HerXzC/jGxh3EEex3mlFic4aRSzaYK1 Kf01RiZpwfBp3+6ZNcGBSdg5h5PpfLwcxrmBWUe0NxPmKX1VQywYP8Wh96aeINwM+QXX I9b4wgDWs3LM+QRTJwTMgdWvq0mdNsOXgetwOpc3PDoaqtM5i/bSk8J3Xgazw4rwpnmq Fdy96+NiV99IJHyFW+zFP8TM/3wGtkEQcYE3SjAAZnySt0sUC7PiR7L+eLnp25Pt5EhY +sZ0lqcByEBUKbjyLfoXq/ozY/7u6QYflvHlz9PDmuIBk77kK8MrivyAk7/nYFxpM/P1 2PRg== X-Gm-Message-State: AOAM530g14BnVfGVfKpPmKX7WoRMYcgrZMK6sEDdiE6+4RDGHskLKhM0 Vm4zYd6tOLDIIlE2u8xgLJAcMQ== X-Received: by 2002:a92:914a:: with SMTP id t71mr1931962ild.200.1591776761027; Wed, 10 Jun 2020 01:12:41 -0700 (PDT) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id q15sm8491624ioh.45.2020.06.10.01.12.40 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Jun 2020 01:12:40 -0700 (PDT) Date: Wed, 10 Jun 2020 08:12:38 +0000 From: Sargun Dhillon To: Kees Cook Cc: Christian Brauner , containers@lists.linux-foundation.org, Giuseppe Scrivano , Robert Sesek , Chris Palmer , Jann Horn , Greg Kroah-Hartman , Daniel Wagner , linux-kernel@vger.kernel.org, Matt Denton , John Fastabend , linux-fsdevel@vger.kernel.org, Tejun Heo , Al Viro , cgroups@vger.kernel.org, stable@vger.kernel.org, "David S . Miller" Subject: Re: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes Message-ID: <20200610081237.GA23425@ircssh-2.c.rugged-nimbus-611.internal> References: <20200603011044.7972-2-sargun@sargun.me> <20200604012452.vh33nufblowuxfed@wittgenstein> <202006031845.F587F85A@keescook> <20200604125226.eztfrpvvuji7cbb2@wittgenstein> <20200605075435.GA3345@ircssh-2.c.rugged-nimbus-611.internal> <202006091235.930519F5B@keescook> <20200609200346.3fthqgfyw3bxat6l@wittgenstein> <202006091346.66B79E07@keescook> <037A305F-B3F8-4CFA-B9F8-CD4C9EF9090B@ubuntu.com> <202006092227.D2D0E1F8F@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202006092227.D2D0E1F8F@keescook> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 09, 2020 at 10:27:54PM -0700, Kees Cook wrote: > On Tue, Jun 09, 2020 at 11:27:30PM +0200, Christian Brauner wrote: > > On June 9, 2020 10:55:42 PM GMT+02:00, Kees Cook wrote: > > >LOL. And while we were debating this, hch just went and cleaned stuff up: > > > > > >2618d530dd8b ("net/scm: cleanup scm_detach_fds") > > > > > >So, um, yeah, now my proposal is actually even closer to what we already > > >have there. We just add the replace_fd() logic to __scm_install_fd() and > > >we're done with it. > > > > Cool, you have a link? :) > > How about this: > Thank you. > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=devel/seccomp/addfd/v3.1&id=bb94586b9e7cc88e915536c2e9fb991a97b62416 > > -- > Kees Cook + if (ufd) { + error = put_user(new_fd, ufd); + if (error) { + put_unused_fd(new_fd); + return error; + } + } I'm fairly sure this introduces a bug[1] if the user does: struct msghdr msg = {}; struct cmsghdr *cmsg; struct iovec io = { .iov_base = &c, .iov_len = 1, }; msg.msg_iov = &io; msg.msg_iovlen = 1; msg.msg_control = NULL; msg.msg_controllen = sizeof(buf); recvmsg(sock, &msg, 0); They will have the FD installed, no error message, but FD number wont be written to memory AFAICT. If two FDs are passed, you will get an efault. They will both be installed, but memory wont be written to. Maybe instead of 0, make it a poison pointer, or -1 instead? ----- As an aside, all of this junk should be dropped: + ret = get_user(size, &uaddfd->size); + if (ret) + return ret; + + ret = copy_struct_from_user(&addfd, sizeof(addfd), uaddfd, size); + if (ret) + return ret; and the size member of the seccomp_notif_addfd struct. I brought this up off-list with Tycho that ioctls have the size of the struct embedded in them. We should just use that. The ioctl definition is based on this[2]: #define _IOC(dir,type,nr,size) \ (((dir) << _IOC_DIRSHIFT) | \ ((type) << _IOC_TYPESHIFT) | \ ((nr) << _IOC_NRSHIFT) | \ ((size) << _IOC_SIZESHIFT)) We should just use copy_from_user for now. In the future, we can either introduce new ioctl names for new structs, or extract the size dynamically from the ioctl (and mask it out on the switch statement in seccomp_notify_ioctl. ---- +#define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOR(3, \ + struct seccomp_notif_addfd) Lastly, what I believe to be a small mistake, it should be SECCOMP_IOW, based on the documentation in ioctl.h -- "_IOW means userland is writing and kernel is reading." [1]: https://lore.kernel.org/lkml/20200604052040.GA16501@ircssh-2.c.rugged-nimbus-611.internal/ [2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/asm-generic/ioctl.h?id=v5.7#n69