Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp1134774lqd; Thu, 25 Apr 2024 07:03:13 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUhA8MEXcYDnNInx25KBOvcFC58WKVGgyPlXE+FQZ260mROd4HplLAJq5WIFguMNxhJhe//TEPZTq9jvsUOBvelqbzm80INvuz3Vm0l/g== X-Google-Smtp-Source: AGHT+IHcSP2QD5rjTYfzy4reXJopO826EEitndutBY4XsC1DT9s8Ju2wLeEoufcosk5iW3URSbDr X-Received: by 2002:a50:d5c7:0:b0:572:32e4:dac8 with SMTP id g7-20020a50d5c7000000b0057232e4dac8mr4626845edj.14.1714053793035; Thu, 25 Apr 2024 07:03:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714053793; cv=pass; d=google.com; s=arc-20160816; b=iNJXCKkcW1QOrVcYtxfKISO0OU+sqH0HyoTg7uqKUZwUvG/B3Q3augcb9h6YXtymlY us7983MRGrVS4ltVUSvmTGra/Hga1vS8QOcvz81loQmlveTHaA2oGrWByjuDBtdgCI0X kDMgLwqt+CVwnzs1N1h67e0zOjqWVDKFjLdwVmopsKcoGrjp64QdojsuDQpSlTVNH6eZ +YDem/sgyV/4ECj+Z0j8jdj64OEhylIL32of3Biz2gNMMfidu1av9cDa74k5RNbBqhNp Av04h12olnihAaeZ3apOYGyDjVGoar1zlB9xCWiagfjyyqc2HKWflIN/cAHgNNTR8PDh /efw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=f2rKClx92D3Joj9x+337b++M0D6sM9+vkCMR9QWt5fY=; fh=c3kBOZkv8MW7iSFrQ9xJJBh5n+0DPynTNJex93104cM=; b=oCOKnUnFBj0jjDE8QKGNRRZaeEyNlw9/n/B0BXvPu7J96q3p/0PL9HnEyjh+TPXpXL 6q9ro/p3ni/gcRiGNc1ZyZ5mpkC71EWKKtwq1h4wyy1BnAyyIh7kQtVWkuFQRZJOmppS SZk3oH9vTteqkqr/yE57uYrVoweqdWJcEBkGsp98pr9RRf/OGn6yEVHyLPhHGCzX0CKf LCBOqjpTyWAax/nj2jlheqz6TJmCMbXvZN8Yofycda3P8l8l1OoIxTfuaRUkwYnhVPFq Xd75b7lhyZClXaO766KjsHw2r5TDuQ7isE0hVK4VUmiBiPRjH39fhNpMJ/3sJPknvFF2 Cc4A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=d2yIIcr9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-158649-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158649-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id d7-20020a056402078700b005705b75ad24si9621590edy.182.2024.04.25.07.03.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 07:03:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-158649-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=d2yIIcr9; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-158649-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158649-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id C66981F2157C for ; Thu, 25 Apr 2024 14:03:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E5C91149E0A; Thu, 25 Apr 2024 14:03:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="d2yIIcr9" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 139431494BB; Thu, 25 Apr 2024 14:02:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714053780; cv=none; b=Z4qBsXYDKwaGssh0WEMr7XfhIbs3srTL370AZyn9p0EybPUCQRZHHLgCXNXrd6dmacxf2/tbG8qtdZYT/L4/lhMy3wj/SeOSqX4brEtsKnETAhlSSc4z0IHCd/c7sMcsaKPA4V9ePcBjCrnlvuUY7CnbkUwuZlPnJvHlvcFRm04= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714053780; c=relaxed/simple; bh=ExEnrOrorNPeVUED4foxKZCvmX6BWkIu1dkDvKFwvVM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kUrNTq6w8G5S9pRbiB2Ib/T/HJvs0LTcb21tudnPrdJ+snG5Agfc+uy0nT2x3UM5vWVSbV1Y2ZoCTGVwCHB/E5a77UX9VqDCG+cGX571Y0Tf2+eRrokExj5t3fgc1hJ+WhxhgVPQ86l5YlYg7NBoZ/9VUTG5/heKq59BWghrmZ8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=d2yIIcr9; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 979EBC113CC; Thu, 25 Apr 2024 14:02:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714053779; bh=ExEnrOrorNPeVUED4foxKZCvmX6BWkIu1dkDvKFwvVM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=d2yIIcr9OPrSQ08qxRyXjKfdnsihdla9xCdtcuPKu0tmVd2k+JVdNtGK6zm66aNjy ja95Tz6lAvmhrZkg5v6JTDkzjmJtl7hR9uyQDPX0w0A0WY/BVoztVOAdKNoB00KjxD fgcdF2AA2LGc9n+9znTgDlBPE66vljUcuWCSjEg+6Nkx+eIhEYALjxnYv6wvdxFqtB P675qaaUgkdPEsE+nYVTq32W9/pESDk9A2fMUJ4tmmc167WGgdxjy++C/oq7zMGjma XUJ9YaCs9JdG49zIuJO+13ZDXWlTiJlOtLkmc5wY04S3VoWscJNTP31IgHKJGqh9Ul 5MhUG/GDQ2CYA== Date: Thu, 25 Apr 2024 16:02:46 +0200 From: Christian Brauner To: Stas Sergeev Cc: linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , Christian =?utf-8?B?R8O2dHRzY2hl?= Subject: Re: [PATCH 2/2] openat2: add OA2_INHERIT_CRED flag Message-ID: <20240425-akrobatisch-palmen-4c1e7a0f69d2@brauner> References: <20240424105248.189032-1-stsp2@yandex.ru> <20240424105248.189032-3-stsp2@yandex.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20240424105248.189032-3-stsp2@yandex.ru> > struct open_flags { > - int open_flag; > + u64 open_flag; Btw, this change taken together with > +#define VALID_OPENAT2_FLAGS (VALID_OPEN_FLAGS | OA2_INHERIT_CRED) is also ripe to causes subtle bugs and security issues. This new VALID_OPENAT2_FLAGS define bypasses BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS), "struct open_flags doesn't yet handle flags > 32 bits"); in build_open_flags(). And right now lookup_open(), open_last_lookups(), and do_open() just do: int open_flag = op->open_flag; Because op->open_flag was 32bit that was fine. But now ->open_flag is 64bit which means we truncate the upper 32bit including OA2_INHERIT_CRED or any other new flag in the upper 32bits in those functions. So as soon as there's an additional check in e.g., do_open() for OA2_INHERIT_CRED or in any of the other helpers that's security relevant we're fscked because that flag is never seen and no bot will help us here. And it's super easy to miss during review...