Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75C44C7EE37 for ; Thu, 2 Mar 2023 19:18:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229787AbjCBTSd (ORCPT ); Thu, 2 Mar 2023 14:18:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229455AbjCBTSc (ORCPT ); Thu, 2 Mar 2023 14:18:32 -0500 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69BB5125A9; Thu, 2 Mar 2023 11:18:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=bSVKqTfHXZQDAAqQmNgDotHKECpRHWY2RjtIR7KJtAU=; b=k7ofA7OuCUnf9x0J3coDKqroTG hPOiCrhvuIdptf8anf+V/QmlNQSN/hDTCEmELqWUegppCPoOObwJoIFD3q8IDWST7sRMhKLrw6KyL ynRVkL5fPZs4qgbTixllpgMFCNTu9zpBom+QfHbnSQqeWzrVTt4OIDyBQ2YwVJQDkYk01oTzOEsnY smVQ0jR5nI0UUpb0/PtBcvZDuf0rY+DWvN4ufjxY35uDfNDwtovcsjSRR/N/qoj2fvgDH3z4Oiotg VsGbyJIZ3RKtt2gmOIlaZTUlOWQhy9W30hAVwpvuAY+dsXmXrfDKlWYjzqJutKFGrrCg3MEHGakw9 BtUdgCag==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1pXoRc-00DNZe-2v; Thu, 02 Mar 2023 19:18:25 +0000 Date: Thu, 2 Mar 2023 19:18:24 +0000 From: Al Viro To: Mateusz Guzik Cc: Linus Torvalds , Christian Brauner , serge@hallyn.com, paul@paul-moore.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v3 2/2] vfs: avoid duplicating creds in faccessat if possible Message-ID: References: <20230125155557.37816-1-mjguzik@gmail.com> <20230125155557.37816-2-mjguzik@gmail.com> <20230302083025.khqdizrnjkzs2lt6@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 02, 2023 at 07:02:10PM +0000, Al Viro wrote: > On Thu, Mar 02, 2023 at 06:43:39PM +0000, Al Viro wrote: > > On Thu, Mar 02, 2023 at 07:22:17PM +0100, Mateusz Guzik wrote: > > > > > Ops, I meant "names_cache", here: > > > names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0, > > > SLAB_HWCACHE_ALIGN|SLAB_PANIC, 0, PATH_MAX, NULL); > > > > > > it is fs/dcache.c and I brainfarted into the above. > > > > So you mean __getname() stuff? > > The thing is, getname_flags()/getname_kernel() is not the only user of that > thing; grep and you'll see (and keep in mind that cifs alloc_dentry_path() > is a __getname() wrapper, with its own callers). We might have bugs papered > over^W^Whardened away^W^Wpapered over in some of those users. > > I agree that getname_flags()/getname_kernel()/sys_getcwd() have no need of > pre-zeroing; fw_get_filesystem_firmware(), ceph_mdsc_build_path(), > [hostfs]dentry_name() and ima_d_path() seem to be safe. So's > vboxsf_path_from_dentry() (I think). But with this bunch I'd need > a review before I'd be willing to say "this security theatre buys us > nothing here": [snip the list] PS: ripping this bandaid off might very well be the right thing to do, it's just that "I'm confident there is 0 hardening benefit for it" needs a code review is some moderately grotty places. It's not too awful (e.g. in case of cifs most of the callers are immediately followed by build_path_from_dentry(), which stores the pathname in the end of page and returns the pointer to beginning of initialized part; verifying that after that allocation + build_path we only access the parts past the returned pointer until it's time to free the buffer is not hard), but it's worth doing.