Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1454024lqm; Thu, 2 May 2024 15:54:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWC2o5T2EhVzx8S3eVCUx6c624F7lc9rhl3hd73zGxup8Ss6jkyrPQ0o2bEtToifhgM86VDbfXDHVZZ7qwdU1/GbkAHzg8l+M56JtKaxA== X-Google-Smtp-Source: AGHT+IFovAZk5MCvbKOeAh65wbswbD5ggKeQ1InjUhiHZMkv5nIYlerTXKa//O+36sEbEeWJCDad X-Received: by 2002:a05:6214:268e:b0:6a0:9360:1e7a with SMTP id gm14-20020a056214268e00b006a093601e7amr1124567qvb.42.1714690489301; Thu, 02 May 2024 15:54:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714690489; cv=pass; d=google.com; s=arc-20160816; b=wKBpmfifGbNgpNFs53dUry+XZSNwC8eJ6EmNJVKDoJGiwfo7CACmjQGjiF97K+0hf8 sRC8Uvi0m5PY/wEOp6mhSCTun45C6W9DZ5lfrzgbIzfwozC7F+93nkTV0jAwitft8E1t CIRCXUeRJlvdvPnvgZ2KMFSmPC0U/DBRuVvQ79oBy5pFHcFInuD1FwWIC9VoMA5QFRka Jl5UvV3/yrXHkTxpI4ATIsAg9aeBUDC3p4YYDiKQDOS7kaOcUH8PeMYA/bLLFkgVJp9u 0jxcxHBb3a7LRJLjlzajii4555sqb40wbtgLaGW3X4easmgwzN9ChtZs78dPZNEuO5Zr 0hMA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=PyICWSI1cM8GOz3sU1eVA0B3CS15+lbjDpFSuRGR+Cg=; fh=SQT8UjUvKkpaUHVAJa5Z5fTgmKJ2f1t+cNC/pCrtpns=; b=PZZixBl8OMT8Z0zbiN8Bi6KQYFuwXQZ1MaThO4D1ZfQ4gBbYuZ6KB81J8h7MeEM4SZ TabRR+FEdqTUCykUh4MZ176YKkkBQ7P9Lgf7g8pHyfM48DoMf3plLJrqPHd9/mpwzfol mvVfZEU8DIFOtwrOgTb45XhKVurSEADHN+qSBUzBF8lwpVBLh50O0BGyoAAKJY4L8RPq 5TvgNlYNhQaNS5TH5MP/DKn1uVq621BPLG4g1ig6uG7al+tiHM+GscdatuWruKqMLUUu 7xP9d7MYfZMUFBQ6ALvDhmB1p/iePjimQsMyHy+JWj/zM+TPVVQoVpkDhmVW/TW8Aj4p Qh/Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=MgWLnKKN; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-167023-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167023-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id fq2-20020a056214258200b006a0a7c646ffsi2001806qvb.232.2024.05.02.15.54.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 May 2024 15:54:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-167023-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=MgWLnKKN; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-167023-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167023-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 0125D1C218F6 for ; Thu, 2 May 2024 22:54:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 134B21CA85; Thu, 2 May 2024 22:54:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="MgWLnKKN" Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB48F1B947 for ; Thu, 2 May 2024 22:54:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714690477; cv=none; b=QElevNr00XGi2I3YKsIs3kyy2PasHBjCTuf/5pPxr5wVGbx9kwxx5frAasGGFZBPTIe7oB3X7Mi6tYVZv2uCBSbj0qC9ZKoOuThh7sZJRBh+LVCsbfhQx1pf0oXJ58zHGYO0DIsYWoA6+tLROd6mgTJEwZ98MXt2IXOhXphhlAQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714690477; c=relaxed/simple; bh=T+UuNbIZBMEGFibn2/SgHQMg5uXvr4RBP5NW+k6VmiA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=QjhlJA9RH8BaPEJGDx6qte2Wc5Rft9uYzFP6VDix8o4/sOCeVf41vvi57s4kuD9+RdTXRgeq3ZX1FJfUojyqam7jv3Qdq8TfJTk+MyRWSg4t2uDloajoi28R9OiM5uTjQjvrM9BtNHikW5tBGIfcD91TWEajtF8Slxan65DOJU0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=MgWLnKKN; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-572afdee2a8so3124a12.0 for ; Thu, 02 May 2024 15:54:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1714690474; x=1715295274; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PyICWSI1cM8GOz3sU1eVA0B3CS15+lbjDpFSuRGR+Cg=; b=MgWLnKKN4kEO/GrTv2EiI1yIpsNH80g4MhqP7kycYCSneXr/fte5u8pQDQ1/5eti+f Uv6S6Xi03B0Sw0Q47ajDub79C/MSXNtyRRzwtPQehk3/Tz1Bg9+4V0hUDOJk5v6VpRsQ Awzu7uK42VbeQs4HMw4jV6XuO6aDT4kHNo+3LxNzczTBkEV0HXH/nZc7KOKYpyn+UT9c SWmC66hZWQw//p/XtFuCPwCoDt480LkMecoJO0brCj2+LFR/azW4eUnNaCLXr/n0lvJ/ x8H7Bdrq8gC3JD5428mf4n8OLvUwnLqOozS5Z1qsZVdQm1Gzmp8GD8MKRSUrhP3bJ/kT yIfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714690474; x=1715295274; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PyICWSI1cM8GOz3sU1eVA0B3CS15+lbjDpFSuRGR+Cg=; b=clTjVc5jH+gb6HEnIqPKjKaYSyBEPjL4pWsKAuJcbXWnr8HomIv0ygOB3mnmaFF8sa l1fB0CBNspwPpoTAaHG/mTRIFox+DvwIX3NxWSzHcPYNSA1ao1QrjKIBP7vwp0+IypWv 8mhi1xuMCM9sHfuQrtxkZ1WIx+jDEUX8YTM3LvsRlj9Rcu2ZfrudB/rin6OqzhHYXmVP /gvbi8nOlaI8d84GKwZ2+MeW+eRVOTLMISOikuQD7KbgqwTVpC3Kz3XQohMHl7I8RRZU hvp0vIGkZRfgQg2ZpHwSTeX/6sP1kNug2FTUnINRa2Azvd6pRuL0sLW1Vv9VwDieb9jP xR/g== X-Forwarded-Encrypted: i=1; AJvYcCWRCIJNmpIBPZcQN31KTBk61lilYDlKUWJ0q/AK0V43zSm72zLpiN4qOX0TSAVzE37iJ9vrnGLLOxnxdVKaWHblFhhYUNSLhM3t5cZU X-Gm-Message-State: AOJu0Yw64iI1iSEZGTPmHum8sGDG+U2d1z3M8C5akW/odTFIQerkw+Ch NyXPFuRT8LzXHR0uwnkxmTRgxa9zSyQS1tp1Au/NgZbei6H5sxXMOM6GnSK1xmoiXMSLwnSSRL3 KCnEp8sMib49VAfgM3empptPPUoS2ibvbtg+N X-Received: by 2002:aa7:d448:0:b0:572:a1b1:1f99 with SMTP id 4fb4d7f45d1cf-572d0c0e124mr33966a12.1.1714690473701; Thu, 02 May 2024 15:54:33 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240502222252.work.690-kees@kernel.org> <20240502223341.1835070-1-keescook@chromium.org> In-Reply-To: <20240502223341.1835070-1-keescook@chromium.org> From: Jann Horn Date: Fri, 3 May 2024 00:53:56 +0200 Message-ID: Subject: Re: [PATCH 1/5] fs: Do not allow get_file() to resurrect 0 f_count To: Kees Cook Cc: Christian Brauner , Alexander Viro , Jan Kara , linux-fsdevel@vger.kernel.org, Zack Rusin , Broadcom internal kernel review list , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Daniel Vetter , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , Tvrtko Ursulin , Andi Shyti , Lucas De Marchi , Matt Atwood , Matthew Auld , Nirmoy Das , Jonathan Cavitt , Will Deacon , Peter Zijlstra , Boqun Feng , Mark Rutland , Kent Overstreet , Masahiro Yamada , Nathan Chancellor , Nicolas Schier , Andrew Morton , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, May 3, 2024 at 12:34=E2=80=AFAM Kees Cook w= rote: > If f_count reaches 0, calling get_file() should be a failure. Adjust to > use atomic_long_inc_not_zero() and return NULL on failure. In the future > get_file() can be annotated with __must_check, though that is not > currently possible. [...] > static inline struct file *get_file(struct file *f) > { > - atomic_long_inc(&f->f_count); > + if (unlikely(!atomic_long_inc_not_zero(&f->f_count))) > + return NULL; > return f; > } Oh, I really don't like this... In most code, if you call get_file() on a file and see refcount zero, that basically means you're in a UAF write situation, or that you could be in such a situation if you had raced differently. It's basically just like refcount_inc() in that regard. And get_file() has semantics just like refcount_inc(): The caller guarantees that it is already holding a reference to the file; and if the caller is wrong about that, their subsequent attempt to clean up the reference that they think they were already holding will likely lead to UAF too. If get_file() sees a zero refcount, there is no safe way to continue. And all existing callers of get_file() expect the return value to be the same as the non-NULL pointer they passed in, so they'll either ignore the result of this check and barrel on, or oops with a NULL deref. For callers that want to actually try incrementing file refcounts that could be zero, which is only possible under specific circumstances, we have helpers like get_file_rcu() and get_file_active(). Can't you throw a CHECK_DATA_CORRUPTION() or something like that in there instead?