Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp552785ybg; Wed, 10 Jun 2020 07:39:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw9dOYYl5xG4V/1+CrzDvtlF0xbkceTKlX/b+L+ZVAYtqlXJ78UQ6Q4UHWcQ353jyStzK7C X-Received: by 2002:a17:907:72cf:: with SMTP id du15mr3559006ejc.151.1591799948603; Wed, 10 Jun 2020 07:39:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591799948; cv=none; d=google.com; s=arc-20160816; b=Nvzgoi1I0ybDTavDzSGUSZZNcSaQ5Us4XD9PGXavUDTkCHQEWtvLEH1hlIpgcHUK/i q14TDiMGb5DI+pIz2yHeIDVpzxOPyoXSJgsNCncR+vkFzy1BHwsJ5+H2kp6N7aoNxhVH Zr6PbmC/RXQclSCBRCOCwZXYHMBzaMdG7HqI2ZMwJZumOgwY1MBUOOSwoQ3GWyxVzt3x mV7YrncaKlkShPhecP/MN+CS/zvcJpnGLtBqQQxIjvLPayrhhMG4TIGIV2Rstzv1UU1L 3vvQrfU/LBf4qq0UT/HL0QJaxTEeB1dPvC2cFGO3VVdk6r7dTt99EGQl7NDgnpZKFLhp /xFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=iPZmXuG9YghT8SL+PROQmGXcOn6Gfz8KiFGycdOy3pw=; b=RoIJHycdO2aZEPX2zNW/WkMX+6g4vGqbBNlIKHNDUoOsSPt0PNCJan2/8Uqn3fyFT/ dofkNNSOlHBqtqA+9bIMW6DFD1ROnbkrmMDcRzR86wzcZep+d8BuuZidOCCgEILoXHA5 8Dxui/359E0FTyzVB0KUm2e8429GTwaL99NZDs4j1My7PwwwmY9GnQv1oHu4Fq75ehdt KXGBF7XOuIsUsy6zimw3zga5CTaCZaqB7wRv6yiR64LJzBUOXm406iExCPDcc4VqgjmV 1zZckLlYEtr616BTYjgvEo+E8gx07hKCy1BzWZN8euYJeU20wOzu1Au01wP0ZNvA084I LyMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j11si12903617edp.371.2020.06.10.07.38.41; Wed, 10 Jun 2020 07:39:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726936AbgFJIsw convert rfc822-to-8bit (ORCPT + 99 others); Wed, 10 Jun 2020 04:48:52 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([185.58.86.151]:23027 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726928AbgFJIsu (ORCPT ); Wed, 10 Jun 2020 04:48:50 -0400 Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-161-0yN4TplFM4ieG9IIs6KTcQ-2; Wed, 10 Jun 2020 09:48:46 +0100 X-MC-Unique: 0yN4TplFM4ieG9IIs6KTcQ-2 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) by AcuMS.aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 10 Jun 2020 09:48:45 +0100 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Wed, 10 Jun 2020 09:48:45 +0100 From: David Laight To: 'Sargun Dhillon' , Kees Cook CC: Christian Brauner , "containers@lists.linux-foundation.org" , Giuseppe Scrivano , Robert Sesek , Chris Palmer , Jann Horn , Greg Kroah-Hartman , Daniel Wagner , "linux-kernel@vger.kernel.org" , Matt Denton , John Fastabend , "linux-fsdevel@vger.kernel.org" , Tejun Heo , Al Viro , "cgroups@vger.kernel.org" , "stable@vger.kernel.org" , "David S . Miller" Subject: RE: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes Thread-Topic: [PATCH v3 1/4] fs, net: Standardize on file_receive helper to move fds across processes Thread-Index: AQHWPv7tCi14oegu0U6J73sUpcDiU6jRh/3w Date: Wed, 10 Jun 2020 08:48:45 +0000 Message-ID: <40d76a9a4525414a8c9809cd29a7ba8e@AcuMS.aculab.com> References: <20200603011044.7972-2-sargun@sargun.me> <20200604012452.vh33nufblowuxfed@wittgenstein> <202006031845.F587F85A@keescook> <20200604125226.eztfrpvvuji7cbb2@wittgenstein> <20200605075435.GA3345@ircssh-2.c.rugged-nimbus-611.internal> <202006091235.930519F5B@keescook> <20200609200346.3fthqgfyw3bxat6l@wittgenstein> <202006091346.66B79E07@keescook> <037A305F-B3F8-4CFA-B9F8-CD4C9EF9090B@ubuntu.com> <202006092227.D2D0E1F8F@keescook> <20200610081237.GA23425@ircssh-2.c.rugged-nimbus-611.internal> In-Reply-To: <20200610081237.GA23425@ircssh-2.c.rugged-nimbus-611.internal> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sargun Dhillon > Sent: 10 June 2020 09:13 > > On Tue, Jun 09, 2020 at 10:27:54PM -0700, Kees Cook wrote: > > On Tue, Jun 09, 2020 at 11:27:30PM +0200, Christian Brauner wrote: > > > On June 9, 2020 10:55:42 PM GMT+02:00, Kees Cook wrote: > > > >LOL. And while we were debating this, hch just went and cleaned stuff up: > > > > > > > >2618d530dd8b ("net/scm: cleanup scm_detach_fds") > > > > > > > >So, um, yeah, now my proposal is actually even closer to what we already > > > >have there. We just add the replace_fd() logic to __scm_install_fd() and > > > >we're done with it. > > > > > > Cool, you have a link? :) > > > > How about this: > > > Thank you. > > > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=devel/seccomp/addfd/v3.1&id=b > b94586b9e7cc88e915536c2e9fb991a97b62416 > > > > -- > > Kees Cook > > + if (ufd) { > + error = put_user(new_fd, ufd); > + if (error) { > + put_unused_fd(new_fd); > + return error; > + } > + } > I'm fairly sure this introduces a bug[1] if the user does: > > struct msghdr msg = {}; > struct cmsghdr *cmsg; > struct iovec io = { > .iov_base = &c, > .iov_len = 1, > }; > > msg.msg_iov = &io; > msg.msg_iovlen = 1; > msg.msg_control = NULL; > msg.msg_controllen = sizeof(buf); > > recvmsg(sock, &msg, 0); > > They will have the FD installed, no error message, but FD number wont be written > to memory AFAICT. If two FDs are passed, you will get an efault. They will both > be installed, but memory wont be written to. Maybe instead of 0, make it a > poison pointer, or -1 instead? IMHO if the buffer isn't big enough the nothing should happen. (or maybe a few of the fds be returned and the others left for later.) OTOH if the user passed an invalid address then installing the fd and returning EFAULT (and hence SIGSEGV) seems reasonable. Properly written apps just don't do that. In essence the 'copy_to_user' is done by the wrapper code. The code filling in the CMSG buffer can be considered to be writing a kernel buffer. IIRC other kernels (eg NetBSD) do the copies for ioctl() requests in the ioctl syscall wrapper. The IOW/IOR/IOWR flags have to be right. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)