Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp274153ybt; Fri, 19 Jun 2020 01:26:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzATYJiH8gyLPB1C8CqlNguhdSVyvO+GaRJS7/EWFJXdraCbdVXadgeQnBQU41H+7ebIj5G X-Received: by 2002:a05:6402:c06:: with SMTP id co6mr2082363edb.298.1592555193913; Fri, 19 Jun 2020 01:26:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592555193; cv=none; d=google.com; s=arc-20160816; b=DujtC7BEDUHJybO8lRaRVzFxbbJqDDlNQT6unauXTXhranvrFjyU95f0m2UlFlXsmd B1F+HEn+caYIOPVa07x2WfO3f/HOTlGnv5F58M/pyQMz/TRdzaPpyvx47PGtDnfr9i79 xYEg8B7dUV1yVN23qWnisLfbI+J8nflKpsUA1WpqP+8sMhmOKpFvSplc+MPZkcCbZ/XZ UBYVwQ7TwV9oiKlAuMggqG374z1g2Lvj+ih7B5yejXstgcRMfYGZ5+NcPrtDxMnVqQPg AVGg80HfIJDiEigEQ7mlhqsTXXkRcYAgTRO8jKKC5ekfqn4ZG6ioVMH4M+AMhSq/EjjX 6WwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=E+z5wlkcxHNUwPuJJhv+rTCg/YaP8YPX8W8r5pb5bnM=; b=fHcb5Qw6ZRx0ROTrjWbeEK+uaT7YkMmWPfWGcLnprV77c/K1Z9ne5/wWCCexgs9O+U vO8e44VrwmkKIRxKlT0sZPtprU3eICCy8anPyyfS2HWi2lRuyLBWPf5IvVagXUO0aIU5 xf+J4NuScHPckykKE9jdgRjzWsP2ylhBF6bR6jRDqV4s02V+xtNd3vdGhdtnR5mjRKbC gJ7JhOX/QPUqyavkRQMYoN690rY3W+bDLOO1Pu0PAejbQv1/suMTB8+s5a2ERoydjRt1 gICGnC0voCRuwbkzlEPn9xP2uWxMbkwlqC3w+MGXoUdLVdF+fY+w0isWx8mvw2uclbCv hJIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bc22si3535533edb.368.2020.06.19.01.26.11; Fri, 19 Jun 2020 01:26:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730924AbgFSIXq convert rfc822-to-8bit (ORCPT + 99 others); Fri, 19 Jun 2020 04:23:46 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([207.82.80.151]:43333 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731290AbgFSIVH (ORCPT ); Fri, 19 Jun 2020 04:21:07 -0400 Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-78-mkYMfPweOkGnJdWf_Vspzw-1; Fri, 19 Jun 2020 09:20:56 +0100 X-MC-Unique: mkYMfPweOkGnJdWf_Vspzw-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) by AcuMS.aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 19 Jun 2020 09:20:55 +0100 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Fri, 19 Jun 2020 09:20:55 +0100 From: David Laight To: 'Kees Cook' , Sargun Dhillon CC: "linux-kernel@vger.kernel.org" , "Christian Brauner" , Tycho Andersen , "Christoph Hellwig" , "David S. Miller" , Jakub Kicinski , Alexander Viro , Aleksa Sarai , Matt Denton , Jann Horn , Chris Palmer , Robert Sesek , Giuseppe Scrivano , "Greg Kroah-Hartman" , Andy Lutomirski , Will Drewry , Shuah Khan , "netdev@vger.kernel.org" , "containers@lists.linux-foundation.org" , "linux-api@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-kselftest@vger.kernel.org" Subject: RE: [PATCH v5 3/7] fs: Add fd_install_received() wrapper for __fd_install_received() Thread-Topic: [PATCH v5 3/7] fs: Add fd_install_received() wrapper for __fd_install_received() Thread-Index: AQHWRazi5O9oFyX6VkOfXGvu43vXPajfldBw Date: Fri, 19 Jun 2020 08:20:55 +0000 Message-ID: References: <20200617220327.3731559-1-keescook@chromium.org> <20200617220327.3731559-4-keescook@chromium.org> <20200618054918.GB18669@ircssh-2.c.rugged-nimbus-611.internal> <202006181305.01F1B08@keescook> In-Reply-To: <202006181305.01F1B08@keescook> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook > Sent: 18 June 2020 21:13 > On Thu, Jun 18, 2020 at 05:49:19AM +0000, Sargun Dhillon wrote: > > On Wed, Jun 17, 2020 at 03:03:23PM -0700, Kees Cook wrote: > > > [...] > > > static inline int fd_install_received_user(struct file *file, int __user *ufd, > > > unsigned int o_flags) > > > { > > > + if (ufd == NULL) > > > + return -EFAULT; > > Isn't this *technically* a behvaiour change? Nonetheless, I think this is a much better > > approach than forcing everyone to do null checking, and avoids at least one error case > > where the kernel installs FDs for SCM_RIGHTS, and they're not actualy usable. > > So, the only behavior change I see is that the order of sanity checks is > changed. > > The loop in scm_detach_fds() is: > > > for (i = 0; i < fdmax; i++) { > err = __scm_install_fd(scm->fp->fp[i], cmsg_data + i, o_flags); > if (err < 0) > break; > } > > Before, __scm_install_fd() does: > > error = security_file_receive(file); > if (error) > return error; > > new_fd = get_unused_fd_flags(o_flags); > if (new_fd < 0) > return new_fd; > > error = put_user(new_fd, ufd); > if (error) { > put_unused_fd(new_fd); > return error; > } > ... > > After, fd_install_received_user() and __fd_install_received() does: > > if (ufd == NULL) > return -EFAULT; > ... > error = security_file_receive(file); > if (error) > return error; > ... > new_fd = get_unused_fd_flags(o_flags); > if (new_fd < 0) > return new_fd; > ... > error = put_user(new_fd, ufd); > if (error) { > put_unused_fd(new_fd); > return error; > } > > i.e. if a caller attempts a receive that is rejected by LSM *and* > includes a NULL userpointer destination, they will get an EFAULT now > instead of an EPERM. The 'user' pointer the fd is written to is in the middle of the 'cmsg' buffer. So to hit 'ufd == NULL' the program would have to pass a small negative integer! The error paths are strange if there are multiple fd in the message. A quick look at the old code seems to imply that if the user doesn't supply a big enough buffer then the extra 'file *' just get closed. OTOH if there is an error processing one of the files the request fails with the earlier file allocated fd numbers. In addition most of the userspace buffer is written after the loop - any errors there return -EFAULT (SIGSEGV) without even trying to tidy up the allocated fd. ISTM that the put_user(new_fd, ufd) could be done in __scm_install_fd() after __fd_install_received() returns. scm_detach_fds() could do the put_user(SOL_SOCKET,...) before actually processing the first file - so that the state can be left unchanged when a naff buffer is passed. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)