Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp1158030lqh; Sun, 5 May 2024 20:25:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXdr8H80HPCPjsyEBALOVcZRts62i3enVaQCxhCklGtenxe9R+YaX2rPeil26cSEwNDQxTDMUUJt8nmCBQ/cxwU8693e5t2YEuzvbuTmA== X-Google-Smtp-Source: AGHT+IF/GsiDxU0QnYfO6a9yZymRhVn2gyiw55pFEZ8Wr6kNE57kaQ6G3KLzFtWTC2q0g2OiVVFT X-Received: by 2002:a17:903:244d:b0:1eb:5222:7b8e with SMTP id l13-20020a170903244d00b001eb52227b8emr10927130pls.17.1714965909942; Sun, 05 May 2024 20:25:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714965909; cv=pass; d=google.com; s=arc-20160816; b=F0W7dwh6osELKUCvG03jcyLL7ZXOWeSCGpEP8QL7CYlZm1iO8kThusb5d6tIFmcU9O mt7XhFijI/xr8clu3uMPK8M058hbqO2yOfhprwxUFD7jFSQn4ebTpe0J9d4R4VVASwWS g3GBIbPtUatijIv2rsfYEbTDb2GxR1pRrYwuXY9E+16afxD/xjQL8GevXlt17NSgLTrE 8dB8o4449p3p/V2moMDiWTucfCqUx/rHvXIp8ivNOEouHlbGKtS74AdVTZweUm+wZyLd OT53nHpmMnstazO5dl7j82ZnxBaFAFl5vmohLwhNrqYLyUu5Pd215WSciRy1BjEnCfO7 eMAg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=RbpIXs9H/Hma1wu6wHG4qOKSeBDxPsWHGvGGKe6YJWs=; fh=FXKYVBMjBS45wTk5fpvDoVL38SUnzMgBpPK7Q4+HTGo=; b=fHPUy9SjYMV0uH+o85yN5VfKDZEzUH+4XO54yB/v621oFhVHcJPIlt/rPUGbDs1eUy 3yovdaaH0jLmYkYi1//ImF3AtbTfPNANV3DXvHRbH6YsnJCjOAh81bLWbZZtMMy/6mMO 7re17ExD1OHIHTfUAEsE5YzjU4O+X+Ge3eQ5ciuW1Xrsd7Z/ay+9CApwvskw2Boy88sg bANJa4xXFuhzPU34MukZR2MXqLORDrIyH+2801L2/TCykm9bglvfvpvqVylikjdX6DV2 wTcduhscjYRUP2tXPpfOjUW90Z9do8Ov4nDdwE3PM7/1NRcPbbl2FSHZUqdsJh52HMjF CImg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.alibaba.com header.s=default header.b=cMQ+O6bK; arc=pass (i=1 spf=pass spfdomain=linux.alibaba.com dkim=pass dkdomain=linux.alibaba.com dmarc=pass fromdomain=linux.alibaba.com); spf=pass (google.com: domain of linux-kernel+bounces-169278-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169278-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.alibaba.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id j4-20020a170902da8400b001e9058495e5si5818887plx.498.2024.05.05.20.25.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 May 2024 20:25:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-169278-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.alibaba.com header.s=default header.b=cMQ+O6bK; arc=pass (i=1 spf=pass spfdomain=linux.alibaba.com dkim=pass dkdomain=linux.alibaba.com dmarc=pass fromdomain=linux.alibaba.com); spf=pass (google.com: domain of linux-kernel+bounces-169278-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169278-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 5A116281B02 for ; Mon, 6 May 2024 03:25:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0D3D543ABC; Mon, 6 May 2024 03:25:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="cMQ+O6bK" Received: from out30-97.freemail.mail.aliyun.com (out30-97.freemail.mail.aliyun.com [115.124.30.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4A1241C62; Mon, 6 May 2024 03:24:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.97 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714965902; cv=none; b=BTIa7nghJLWHxHXGQAMNLLzBjRqWQ5M58/VMHHpMDPStxeTEhy9X+dwSfB/HsSLskwVi3HBG3COFjadifSiuLCTCLFP20xXM4sov4Y6pm9koDuBciqSkHsSoXqReRnfpo5UbQhWXi8vBCKrtETPOVhddNsm3wcK9ZENw+Kkn4OE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714965902; c=relaxed/simple; bh=P1kq2c1CRRDOHcjDbU8AaDeUbjddlldj1FWo0XXY45Q=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=draNAHb4XSpcFMiWvFLUo2RoD38dPDNh/Ap202g/z5BBstWJa/AKvmNCAR3t+PZbMP1mMpK0j5+YSvKfaCkPTbNR+tIPqtRJ7PnkUg6tc8CkGi7NSsfb8sSIuyG5XK73XUnOXXglGcsRTGHOj51Y3JhxDKFoifWjOlclgXokn4E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=cMQ+O6bK; arc=none smtp.client-ip=115.124.30.97 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1714965896; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type; bh=RbpIXs9H/Hma1wu6wHG4qOKSeBDxPsWHGvGGKe6YJWs=; b=cMQ+O6bKAiCEGTJQCetdPtBuRNQr8HGta48Ek7eUEkWDKKRSEMYTlsw7CyITT/61VES8Suf5CVvbDEJ3d6H7XiGY3OaCZA23fNNRvqyqogi2tu0MUmjq8Tp2zvHVcIXgVKSBTmek5gKsCAg1UmkR8BEBnqo30am3zkLXWNUdnvc= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R481e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033045046011;MF=jefflexu@linux.alibaba.com;NM=1;PH=DS;RN=10;SR=0;TI=SMTPD_---0W5rS6Bn_1714965893; Received: from 30.221.146.217(mailfrom:jefflexu@linux.alibaba.com fp:SMTPD_---0W5rS6Bn_1714965893) by smtp.aliyun-inc.com; Mon, 06 May 2024 11:24:55 +0800 Message-ID: Date: Mon, 6 May 2024 11:24:52 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 09/12] cachefiles: defer exposing anon_fd until after copy_to_user() succeeds To: libaokun@huaweicloud.com, netfs@lists.linux.dev Cc: dhowells@redhat.com, jlayton@kernel.org, zhujia.zj@bytedance.com, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Baokun Li , Hou Tao References: <20240424033916.2748488-1-libaokun@huaweicloud.com> <20240424033916.2748488-10-libaokun@huaweicloud.com> Content-Language: en-US From: Jingbo Xu In-Reply-To: <20240424033916.2748488-10-libaokun@huaweicloud.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 4/24/24 11:39 AM, libaokun@huaweicloud.com wrote: > From: Baokun Li > > After installing the anonymous fd, we can now see it in userland and close > it. However, at this point we may not have gotten the reference count of > the cache, but we will put it during colse fd, so this may cause a cache > UAF. Good catch! > > To avoid this, we will make the anonymous fd accessible to the userland by > executing fd_install() after copy_to_user() has succeeded, and by this > point we must have already grabbed the reference count of the cache. Why we must execute fd_install() after copy_to_user() has succeeded? Why not grab a reference to the cache before fd_install()? > > Suggested-by: Hou Tao > Signed-off-by: Baokun Li > --- > fs/cachefiles/ondemand.c | 53 +++++++++++++++++++++++++--------------- > 1 file changed, 33 insertions(+), 20 deletions(-) > > diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c > index 0cf63bfedc9e..7c2d43104120 100644 > --- a/fs/cachefiles/ondemand.c > +++ b/fs/cachefiles/ondemand.c > @@ -4,6 +4,11 @@ > #include > #include "internal.h" > > +struct anon_file { > + struct file *file; > + int fd; > +}; > + > static inline void cachefiles_req_put(struct cachefiles_req *req) > { > if (refcount_dec_and_test(&req->ref)) > @@ -244,14 +249,14 @@ int cachefiles_ondemand_restore(struct cachefiles_cache *cache, char *args) > return 0; > } > > -static int cachefiles_ondemand_get_fd(struct cachefiles_req *req) > +static int cachefiles_ondemand_get_fd(struct cachefiles_req *req, > + struct anon_file *anon_file) > { > struct cachefiles_object *object; > struct cachefiles_cache *cache; > struct cachefiles_open *load; > - struct file *file; > u32 object_id; > - int ret, fd; > + int ret; > > object = cachefiles_grab_object(req->object, > cachefiles_obj_get_ondemand_fd); > @@ -263,16 +268,16 @@ static int cachefiles_ondemand_get_fd(struct cachefiles_req *req) > if (ret < 0) > goto err; > > - fd = get_unused_fd_flags(O_WRONLY); > - if (fd < 0) { > - ret = fd; > + anon_file->fd = get_unused_fd_flags(O_WRONLY); > + if (anon_file->fd < 0) { > + ret = anon_file->fd; > goto err_free_id; > } > > - file = anon_inode_getfile("[cachefiles]", &cachefiles_ondemand_fd_fops, > - object, O_WRONLY); > - if (IS_ERR(file)) { > - ret = PTR_ERR(file); > + anon_file->file = anon_inode_getfile("[cachefiles]", > + &cachefiles_ondemand_fd_fops, object, O_WRONLY); > + if (IS_ERR(anon_file->file)) { > + ret = PTR_ERR(anon_file->file); > goto err_put_fd; > } > > @@ -281,15 +286,14 @@ static int cachefiles_ondemand_get_fd(struct cachefiles_req *req) > spin_unlock(&object->ondemand->lock); > ret = -EEXIST; > /* Avoid performing cachefiles_ondemand_fd_release(). */ > - file->private_data = NULL; > + anon_file->file->private_data = NULL; > goto err_put_file; > } > > - file->f_mode |= FMODE_PWRITE | FMODE_LSEEK; > - fd_install(fd, file); > + anon_file->file->f_mode |= FMODE_PWRITE | FMODE_LSEEK; > > load = (void *)req->msg.data; > - load->fd = fd; > + load->fd = anon_file->fd; > object->ondemand->ondemand_id = object_id; > spin_unlock(&object->ondemand->lock); > > @@ -298,9 +302,11 @@ static int cachefiles_ondemand_get_fd(struct cachefiles_req *req) > return 0; > > err_put_file: > - fput(file); > + fput(anon_file->file); > + anon_file->file = NULL; > err_put_fd: > - put_unused_fd(fd); > + put_unused_fd(anon_file->fd); > + anon_file->fd = ret; > err_free_id: > xa_erase(&cache->ondemand_ids, object_id); > err: > @@ -357,6 +363,7 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache, > struct cachefiles_msg *msg; > size_t n; > int ret = 0; > + struct anon_file anon_file; > XA_STATE(xas, &cache->reqs, cache->req_id_next); > > xa_lock(&cache->reqs); > @@ -390,7 +397,7 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache, > xa_unlock(&cache->reqs); > > if (msg->opcode == CACHEFILES_OP_OPEN) { > - ret = cachefiles_ondemand_get_fd(req); > + ret = cachefiles_ondemand_get_fd(req, &anon_file); > if (ret) > goto out; > } > @@ -398,10 +405,16 @@ ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache, > msg->msg_id = xas.xa_index; > msg->object_id = req->object->ondemand->ondemand_id; > > - if (copy_to_user(_buffer, msg, n) != 0) { > + if (copy_to_user(_buffer, msg, n) != 0) > ret = -EFAULT; > - if (msg->opcode == CACHEFILES_OP_OPEN) > - close_fd(((struct cachefiles_open *)msg->data)->fd); > + > + if (msg->opcode == CACHEFILES_OP_OPEN) { > + if (ret < 0) { > + fput(anon_file.file); > + put_unused_fd(anon_file.fd); > + goto out; > + } > + fd_install(anon_file.fd, anon_file.file); > } > out: > cachefiles_put_object(req->object, cachefiles_obj_put_read_req); -- Thanks, Jingbo