Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp5404258rwb; Wed, 17 Aug 2022 17:23:35 -0700 (PDT) X-Google-Smtp-Source: AA6agR4uPvxUActx8VZz7XDBo1k+oWy7k/rhLjsxA5dFzQ61Omxp8QL+WUnz/hZTbX+DQO+LWZBG X-Received: by 2002:a17:902:a586:b0:170:f3ae:bd06 with SMTP id az6-20020a170902a58600b00170f3aebd06mr452141plb.104.1660782215186; Wed, 17 Aug 2022 17:23:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660782215; cv=none; d=google.com; s=arc-20160816; b=uXKEvKgcqrM+bi7kXPQ+obBoODHPmVTFNg5qPEYuuqEaQNiCcuedC6RtgNqviJOFwa gYPlQYh/90IGOLXMWKqbCQcnL7GFRMHxDvgWfzfz5tyFSqTc4OX6YyPAdvuPMFZMhtQU lAR51Xkv9ruMSio490QXvH0jgr0pGW142iOCyvsDoL/Rpo6sYm/Mcce0N0ahukay4f1e 1xAXs3HI5FNQa+EwGPY0EJdVWv2M9kL0lcphfEGrq1BeatTYQ1WSsFYrSMStCmV+QzJm gR0C60SnEvo0LkN1oLsjKflDOgocYtUaCQsGlGr7XW1w3de9Di7tl4+ySuu41kjNiIHm UL7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=2MkofC8d460Q9BOo8AHOV9Xfax9fU/PqKTvvaPWF3sE=; b=QFzciAGZw/ujUq0lIjdFUFJMPH+dgyUK+viMjrF012sLMMK2juewmCN+p1oGbVMs9b 7qHyLSq9bVpJw2ByzsmKRI3gJZ63uOau23T6Q80ZI9XvMF8EX1wxjzPTx6QSIpZP5iRc 1ggQmFRnC2J28LKDW0n1HD8jpreIwhjDxG7Yot6eKEAxCVc6DJ5dmq+gRyP/FYn6xP3r TIXzpgdaDYLLkJCqJIo0atD7X05vKIpT2qxF2aHgvLctxdvmLJDJNigdbvADFNJKghni ljmY8yiB/8U3m0ezqa4CYcZ/76AbGQm31oVFKs+NM/ABCeFexhqEqq3RqfJMcBQ8vc1a 84Bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=hedjIECp; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s19-20020a056a00195300b00527f800b903si252553pfk.344.2022.08.17.17.22.50; Wed, 17 Aug 2022 17:23:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=hedjIECp; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236517AbiHRAUF (ORCPT + 99 others); Wed, 17 Aug 2022 20:20:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231510AbiHRAUE (ORCPT ); Wed, 17 Aug 2022 20:20:04 -0400 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABC589C8EE; Wed, 17 Aug 2022 17:20:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=2MkofC8d460Q9BOo8AHOV9Xfax9fU/PqKTvvaPWF3sE=; b=hedjIECppsjGyE2T/AXucHvO4S pW93gpK0/OREYpGiwjBA/egtvp0QvDl3qwpIuBU++PDWncuxeh0Q4vROEbFtH5VTo4IfaRbo3xcrP r5ZIfMqnlT8Hl3VFsQ77OrEuIFG2THQFfEEhvsUqytvKEMccw7nUZjlphrZQkQ9sMQoROStJOJmcS KEWfWSVAi8iOk0HW9BZDXE/rEOhLSvvqirNW2WngJVbSKB79Eju06qu1iFxCdcOOOvIYjpoxejObZ AFB23Rg+a4fzLl5QZvGr9XdF4LAAm2g36T7v+vucS7ZYSrCBfnO82aJ+Rm0w0TVipVrrslrQv75j4 jUwnfrmA==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.95 #2 (Red Hat Linux)) id 1oOTGS-005XLQ-Kz; Thu, 18 Aug 2022 00:20:00 +0000 Date: Thu, 18 Aug 2022 01:20:00 +0100 From: Al Viro To: Olga Kornievskaia Cc: linux-nfs , Olga Kornievskaia , linux-fsdevel Subject: Re: [RFC] problems with alloc_file_pseudo() use in __nfs42_ssc_open() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Aug 17, 2022 at 08:12:27PM -0400, Olga Kornievskaia wrote: > On Wed, Aug 17, 2022 at 8:01 PM Al Viro wrote: > > > > On Wed, Aug 17, 2022 at 06:32:15PM -0400, Olga Kornievskaia wrote: > > > On Wed, Aug 17, 2022 at 6:18 PM Al Viro wrote: > > > > > > > > My apologies for having missed that back when the SSC > > > > patchset had been done (and missing the problems after it got > > > > merged, actually). > > > > > > > > 1) if this > > > > r_ino = nfs_fhget(ss_mnt->mnt_sb, src_fh, fattr); > > > > in __nfs42_ssc_open() yields a directory inode, we are screwed > > > > as soon as it's passed to alloc_file_pseudo() - a *lot* of places > > > > in dcache handling would break if we do that. It's not too > > > > nice for a regular file from non-cooperating filesystem, but for > > > > directory ones it's deadly. > > > > > > This inode is created to make an appearance of an opened file to do > > > (an NFS) read, it's never a directory. > > > > Er... Where does the fhandle come from? From my reading it's a client-sent > > data; I don't know what trust model do you assume, but the price of > > getting multiple dentries over the same directory inode is high. > > Bogus or compromised client should not be able to cause severe corruption > > of kernel data structures... > > This is an NFS spec specified operation. The (source file's) > filehandle comes from the COPY operation compound that the destination > server gets and then uses -- creates an inode from using the code you > are looking at now -- to access from the source server. Security is > all described in the spec. The uniqueness of the filehandle is > provided by the source server that created it. Do we assume that compromise of source server is escalatable at least to kernel panics on the destination server anyway? Confused...