| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Jun 2023 16:33:58 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Jan Kara' <jack@...e.cz>
CC: Christian Brauner <brauner@...nel.org>,
Al Viro <viro@...IV.linux.org.uk>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"Miklos Szeredi" <miklos@...redi.hu>,
"Darrick J. Wong" <djwong@...nel.org>, Ted Tso <tytso@....edu>,
Jaegeuk Kim <jaegeuk@...nel.org>,
"linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>,
"linux-xfs@...r.kernel.org" <linux-xfs@...r.kernel.org>,
"linux-f2fs-devel@...ts.sourceforge.net"
<linux-f2fs-devel@...ts.sourceforge.net>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH v2 4/6] fs: Establish locking order for unrelated
directories
From: Jan Kara <jack@...e.cz>
> Sent: 01 June 2023 17:14
>
> On Thu 01-06-23 15:37:32, David Laight wrote:
> > ...
> > > > > + * Lock any non-NULL argument. The caller must make sure that if he is passing
> > > > > + * in two directories, one is not ancestor of the other
> >
> > Not directly relevant to this change but is the 'not an ancestor'
> > check actually robust?
> >
> > I found a condition in which the kernel 'pwd' code (which follows
> > the inode chain) failed to stop at the base of a chroot.
> >
> > I suspect that the ancestor check would fail the same way.
>
> Honestly, I'm not sure how this could be the case but I'm not a dcache
> expert. d_ancestor() works on dentries and the whole dcache code pretty
> much relies on the fact that there always is at most one dentry for any
> directory. Also in case we call d_ancestor() from this code, we have the
> whole filesystem locked from any other directory moves so the ancestor
> relationship of two dirs cannot change (which is different from pwd code
> AFAIK). So IMHO no failure is possible in our case.
I've found the test program.
This uses readlinkat() to get the full path /proc/self/fd/0.
It should be inside the chroot, but the comparison done
to detect the 'root' fails.
Now maybe any rename that would hit this is invalid
for other reasons.
But something is awry somewhere.
David
The program below reproduces this when run with stdin
redirected to a file in the current directory.
This sequence is used by 'ip netns exec' so isn't actually
that unusual.
David
#define _GNU_SOURCE
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sched.h>
static void print_link(const char *where, int fd)
{
char buf[256];
printf("%s: %.*s\n", where, (int)readlinkat(fd, "", buf, sizeof buf), buf);
}
int main(int argc, char **argv)
{
int link_fd = open("/proc/self/fd/0", O_PATH | O_NOFOLLOW);
print_link("initial", link_fd);
if (chroot("."))
return 1;
print_link("after chroot", link_fd);
if (unshare(CLONE_NEWNS))
return 2;
print_link("after unshare", link_fd);
return 0;
}
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists