Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3631354pxu; Tue, 8 Dec 2020 18:00:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJyVLrKwrdmX6Xp0IPvSr2qpNaq+iV3tqHkhU8UmRUzNGJfgXzlfuNNlSskxKGIEsAR+nUnm X-Received: by 2002:aa7:d41a:: with SMTP id z26mr706612edq.267.1607479218450; Tue, 08 Dec 2020 18:00:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607479218; cv=none; d=google.com; s=arc-20160816; b=bJgp4J79JlFA5Jvy8p+vT24pBdm8/9OyfUONZNtoMUdwTy4w0KSmHXz1bKjVAQdx5r 2RYKLye6yn4EEq+enJadfnpXVSVqckZgkrwM0AJeGqoIk2Jo9ruzG7mcQWMnjkJMN1fk aZn3DhYho7fuMzDw9ckndfnyoOBi0yOYsyoGg5+Yrei5iwv5KgW+zuwpL+2tKJ7H7raU BxKBOBa2xFCZ+H9TuFF0UqZeNrn41e8+7kk7vER9xLepJlpUsZjOeGCu0kNl5+CqigGs z/7ly6ePY9E0uzUyHNDTAmXogj0jlLi5WX0kIDj+EheTVe7JmCZLZmdn4WVfvQs7K57d 3AWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:message-id:in-reply-to :subject:cc:to:from:date; bh=fQSEHBziBm02L8uQIHW7NPuz4OsW5HO7Bb7i2fLb5ug=; b=mNRZLG8U/X4j1EPfQ/IgLJYoox07xGtINgAavLBXU4/ctMfTL1NsMvl3uTKVgAebGI 5yvbOeZGcqZKimX1Rpvd6F/9bDzFc94KBdN1AKTOiDZwq//t1H6ehKtw+I9fzOR3xyKS 7oP7vVl0vesMuV0GXxi9BU9d5+x5Hm6JWA+sMbjcDwkKvI980ztgflIZ8XeBzojX4544 abaHcvAncvjUO2B54gXpxZTV0VkVgujw+u+GH9wHuQLraiP3WClx9xSICohDL3ApuzSV 14c/hz7L4nfFqagWPvyy/xNwB9mfY8ay5vQrySzEG8HnP6osG3pPW8wKGucs2wuvB6ro zWJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i8si159081ejj.424.2020.12.08.17.59.54; Tue, 08 Dec 2020 18:00:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726159AbgLIB6L (ORCPT + 99 others); Tue, 8 Dec 2020 20:58:11 -0500 Received: from namei.org ([65.99.196.166]:59072 "EHLO mail.namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725808AbgLIB6L (ORCPT ); Tue, 8 Dec 2020 20:58:11 -0500 Received: from localhost (localhost [127.0.0.1]) by mail.namei.org (Postfix) with ESMTPS id 0430BDC0; Wed, 9 Dec 2020 01:57:30 +0000 (UTC) Date: Tue, 8 Dec 2020 17:57:29 -0800 (PST) From: James Morris To: Miklos Szeredi cc: "Eric W . Biederman" , linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Dmitry Vyukov Subject: Re: [PATCH v2 04/10] ovl: make ioctl() safe In-Reply-To: <20201207163255.564116-5-mszeredi@redhat.com> Message-ID: References: <20201207163255.564116-1-mszeredi@redhat.com> <20201207163255.564116-5-mszeredi@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 7 Dec 2020, Miklos Szeredi wrote: > ovl_ioctl_set_flags() does a capability check using flags, but then the > real ioctl double-fetches flags and uses potentially different value. > > The "Check the capability before cred override" comment misleading: user > can skip this check by presenting benign flags first and then overwriting > them to non-benign flags. Is this a security bug which should be fixed in stable? -- James Morris