Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp42751rwb; Wed, 17 Aug 2022 22:21:06 -0700 (PDT) X-Google-Smtp-Source: AA6agR491KPgduvUEnDpj1dpUIm7MBpOPQJk/TP+RKv6aMmrRJ636OpcpP5mT4tKlLhucBy0w8T2 X-Received: by 2002:a17:907:2d93:b0:730:d347:8b6e with SMTP id gt19-20020a1709072d9300b00730d3478b6emr835641ejc.305.1660800066399; Wed, 17 Aug 2022 22:21:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660800066; cv=none; d=google.com; s=arc-20160816; b=vcFgjLkbzh8UV22GWWDy5pE/Ne/bDp8A5PFRQJBG8mkSyjnaRAYXpPH7d+GOcL3lvd s+qrx1ABTC50FW1Yu4gef+RewMbNBiaqWbuEJMVktkHl5xp/xPm47mLdqEmMfMNn/Fv8 uOOyZPIsfrVaFA8tNIOwtP/x6ZtgOraOjcIZhBZHCdyIwmLGKQyHQTlP1868u6T4PlXC 1G69/JUH87LjpZTzeORKsjFvG/PJ6DyaHY4i6k3UnZSCI0aSunRSHG1UR1fsxsgEgT0O eqcbNztgiJbvXLV9DHzgNCcWl5STbhEc1uhA2Zp1hMBd2pSmVg6GhOQt8vgixeNeP5B3 3lKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=5u39g6enjL3TnhMx1SP5kr0OpbGZJ2krVZeHPYNVV2g=; b=dLWtrIuPPKw7WcVRLbR0HJ+YOnWmuWwPzZo2OvNfCPBcSHiU38Kz6UgtLMqmlRHieP KKMmwrcSX7MTDH5lxg8W24qWHB8KRQKOHYq27ydbKx6PRRXx7Ppjyl+8hhH7dU6W8Cvi QpP66S9za7LPFRhiEhYGyfkRdPuZe9Fi1EbCs3Qt2W/PdOoEStgMjDrrgBjWrz/ZrBhG C9TzzQOBzS4XrXyQkzDBF9DFKaK0eAZSYH3xjiLBrbRzS+Cj1n5AjWSLQH0MloSR3JmJ qvW4dc7Nx7XFYO3LUMRgoXepefn3lhM6Ef0+b4eTlmtUf1ohCv0WrsDL9crvuM3WoS3y swPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bcGhUZfC; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s21-20020a50ab15000000b00441267a2a41si552230edc.292.2022.08.17.22.20.33; Wed, 17 Aug 2022 22:21:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bcGhUZfC; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241167AbiHRFUJ (ORCPT + 99 others); Thu, 18 Aug 2022 01:20:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45432 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239419AbiHRFUI (ORCPT ); Thu, 18 Aug 2022 01:20:08 -0400 Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C3CDA74DE4; Wed, 17 Aug 2022 22:20:06 -0700 (PDT) Received: by mail-vs1-xe2b.google.com with SMTP id k2so464650vsk.8; Wed, 17 Aug 2022 22:20:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=5u39g6enjL3TnhMx1SP5kr0OpbGZJ2krVZeHPYNVV2g=; b=bcGhUZfCKUpACpTP3USFIBUCGNtRGJgas//fOWlAq6d7WgJlvtYC0VxdZt0g00/RJ4 ZEXua8tkx/bIZNkeVnnxHWhCM3U4k5S/lDG9dpYv61EepruAlQVF1Ami8Y238RlTXArR EPY9cFDfko9TZnfaCv37LeckaD2GjxeL7LV9i6B7SmiOkzTG8TRx3igH7SjqlhN0iIkh yAYfRxswYM7+A3bQYsdIe/qyguMxjxDEcrK0/paiI6XvAhQCfkRAxsgBAQTJLCWzzSsX xFDujOXZvgQXBOF0aeGL5WAHRXOF6oQbrIreOcyldnieUxsr1U5DTvRQCTmpAsvprcOX vPYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=5u39g6enjL3TnhMx1SP5kr0OpbGZJ2krVZeHPYNVV2g=; b=p/IFMP4ReTGhlJZXDR/gDMBDK526Dqi6KE4hmH8KFbUHOQLMY8Hv77s+xY3DbnR9L9 dSMStn/WhBgRwUvlqjLr0DbWMos1GYKdcUI0z1UbRMGt0+2+DKjASnAl+XLW0OH/mhox heGXLtpJtqtOj1PvuJDBIQdc8iDpVCBeAdAQqH4qu4k1XzNNzAMDqo/je48iLHyzdmT7 Rcj21UxUlN+owDcWIdTRuX5xgUMmESnUemGjAS8SHtM+T6qZGC5B0pvMVtYgdhR3tTog 5TYi7U/2sFbpqAjBI3as8wNGI0+3kMD3bhCVKNu4q06RIn2usO4Ue2VHtSbJT7j4GRg1 f3eQ== X-Gm-Message-State: ACgBeo0O61BCv2dzV02GPsOFah/3skbkEPYkKGo7i/kQiea5Tm22IV5w hsWGTUOgGV05S9oBZNptIRYqK3yuzg1aKWSRg7s= X-Received: by 2002:a67:a246:0:b0:38c:9563:d2d8 with SMTP id t6-20020a67a246000000b0038c9563d2d8mr580410vsh.2.1660800005916; Wed, 17 Aug 2022 22:20:05 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Amir Goldstein Date: Thu, 18 Aug 2022 08:19:54 +0300 Message-ID: Subject: Re: [RFC] problems with alloc_file_pseudo() use in __nfs42_ssc_open() To: Olga Kornievskaia Cc: Al Viro , linux-nfs , Olga Kornievskaia , linux-fsdevel Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Aug 18, 2022 at 3:23 AM Olga Kornievskaia wrote: > > On Wed, Aug 17, 2022 at 8:01 PM Al Viro wrote: > > > > On Wed, Aug 17, 2022 at 06:32:15PM -0400, Olga Kornievskaia wrote: > > > On Wed, Aug 17, 2022 at 6:18 PM Al Viro wrote: > > > > > > > > My apologies for having missed that back when the SSC > > > > patchset had been done (and missing the problems after it got > > > > merged, actually). > > > > > > > > 1) if this > > > > r_ino = nfs_fhget(ss_mnt->mnt_sb, src_fh, fattr); > > > > in __nfs42_ssc_open() yields a directory inode, we are screwed > > > > as soon as it's passed to alloc_file_pseudo() - a *lot* of places > > > > in dcache handling would break if we do that. It's not too > > > > nice for a regular file from non-cooperating filesystem, but for > > > > directory ones it's deadly. > > > > > > This inode is created to make an appearance of an opened file to do > > > (an NFS) read, it's never a directory. > > > > Er... Where does the fhandle come from? From my reading it's a client-sent > > data; I don't know what trust model do you assume, but the price of > > getting multiple dentries over the same directory inode is high. > > Bogus or compromised client should not be able to cause severe corruption > > of kernel data structures... > > This is an NFS spec specified operation. The (source file's) > filehandle comes from the COPY operation compound that the destination > server gets and then uses -- creates an inode from using the code you > are looking at now -- to access from the source server. Security is > all described in the spec. The uniqueness of the filehandle is > provided by the source server that created it. Olga, NFS spec does not guarantee the safety of the server. It's like saying that the Law makes Crime impossible. The law needs to be enforced, so if server gets a request to COPY from/to an fhandle that resolves as a non-regular file (from a rogue or buggy NFS client) the server should return an error and not continue to alloc_file_pseudo(). Thanks, Amir.