[05/13] fs: check FMODE_WRITE in __kernel_write

Message ID	20200615121257.798894-6-hch@lst.de (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=9iMC=74=vger.kernel.org=linux-security-module-owner@kernel.org> From: Christoph Hellwig <hch@lst.de> To: Al Viro <viro@zeniv.linux.org.uk> Cc: Linus Torvalds <torvalds@linux-foundation.org>, Ian Kent <raven@themaw.net>, David Howells <dhowells@redhat.com>, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH 05/13] fs: check FMODE_WRITE in __kernel_write Date: Mon, 15 Jun 2020 14:12:49 +0200 Message-Id: <20200615121257.798894-6-hch@lst.de> In-Reply-To: <20200615121257.798894-1-hch@lst.de> References: <20200615121257.798894-1-hch@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	[01/13] cachefiles: switch to kernel_write \| expand [01/13] cachefiles: switch to kernel_write [02/13] autofs: switch to kernel_write [03/13] bpfilter: switch to kernel_write [04/13] fs: unexport __kernel_write [05/13] fs: check FMODE_WRITE in __kernel_write [06/13] fs: implement kernel_write using __kernel_write [07/13] fs: remove __vfs_write [08/13] fs: don't change the address limit for ->write_iter in __kernel_write [09/13] fs: add a __kernel_read helper [10/13] integrity/ima: switch to using __kernel_read [11/13] fs: implement kernel_read using __kernel_read [12/13] fs: remove __vfs_read [13/13] fs: don't change the address limit for ->read_iter in __kernel_read

Message ID

20200615121257.798894-6-hch@lst.de (mailing list archive)

State

New, archived

Headers

From: Christoph Hellwig <hch@lst.de>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Ian Kent <raven@themaw.net>,
        David Howells <dhowells@redhat.com>,
        linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        netfilter-devel@vger.kernel.org
Subject: [PATCH 05/13] fs: check FMODE_WRITE in __kernel_write
Date: Mon, 15 Jun 2020 14:12:49 +0200
Message-Id: <20200615121257.798894-6-hch@lst.de>
In-Reply-To: <20200615121257.798894-1-hch@lst.de>
References: <20200615121257.798894-1-hch@lst.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

[01/13] cachefiles: switch to kernel_write | expand

Comments

Matthew Wilcox June 15, 2020, 12:34 p.m. UTC | #1

On Mon, Jun 15, 2020 at 02:12:49PM +0200, Christoph Hellwig wrote:
> We still need to check if the fѕ is open write, even for the low-level
> helper.

Do we need the analogous check for FMODE_READ in the __kernel_read()
patch?

> @@ -505,6 +505,8 @@ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t
>  	const char __user *p;
>  	ssize_t ret;
>  
> +	if (!(file->f_mode & FMODE_WRITE))
> +		return -EBADF;
>  	if (!(file->f_mode & FMODE_CAN_WRITE))
>  		return -EINVAL;
>  
> -- 
> 2.26.2
>

Christoph Hellwig June 15, 2020, 1:48 p.m. UTC | #2

On Mon, Jun 15, 2020 at 05:34:39AM -0700, Matthew Wilcox wrote:
> On Mon, Jun 15, 2020 at 02:12:49PM +0200, Christoph Hellwig wrote:
> > We still need to check if the fѕ is open write, even for the low-level
> > helper.
> 
> Do we need the analogous check for FMODE_READ in the __kernel_read()
> patch?

Yes, we should probably grow it.  Hoping that none of the caller
actually wants to mess with files not open for reading as some of them
are rather dodgy.

Linus Torvalds June 15, 2020, 4:39 p.m. UTC | #3

On Mon, Jun 15, 2020 at 5:13 AM Christoph Hellwig <hch@lst.de> wrote:
>
> We still need to check if the fѕ is open write, even for the low-level
> helper.

Is there actually a way to trigger something like this? I'm wondering
if it's worth a WARN_ON_ONCE()?

It doesn't sound sensible to have some kernel functionality try to
write to a file it didn't open for write, and sounds like a kernel bug
if this case were to ever trigger..

                Linus

Christoph Hellwig June 15, 2020, 4:42 p.m. UTC | #4

On Mon, Jun 15, 2020 at 09:39:31AM -0700, Linus Torvalds wrote:
> On Mon, Jun 15, 2020 at 5:13 AM Christoph Hellwig <hch@lst.de> wrote:
> >
> > We still need to check if the fѕ is open write, even for the low-level
> > helper.
> 
> Is there actually a way to trigger something like this? I'm wondering
> if it's worth a WARN_ON_ONCE()?
> 
> It doesn't sound sensible to have some kernel functionality try to
> write to a file it didn't open for write, and sounds like a kernel bug
> if this case were to ever trigger..

Yes, this would be bug in the calling code.

David Laight June 17, 2020, 2:59 p.m. UTC | #5

From: Linus Torvalds
> Sent: 15 June 2020 17:40
> On Mon, Jun 15, 2020 at 5:13 AM Christoph Hellwig <hch@lst.de> wrote:
> >
> > We still need to check if the fѕ is open write, even for the low-level
> > helper.
> 
> Is there actually a way to trigger something like this? I'm wondering
> if it's worth a WARN_ON_ONCE()?
> 
> It doesn't sound sensible to have some kernel functionality try to
> write to a file it didn't open for write, and sounds like a kernel bug
> if this case were to ever trigger..

It's a cheap test at the top of some fairly heavy code.
Failing the request will soon identify the bug.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

diff --git a/fs/read_write.c b/fs/read_write.c
index 2c601d853ff3d8..76be155ad98242 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -505,6 +505,8 @@  ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t
 	const char __user *p;
 	ssize_t ret;
 
+	if (!(file->f_mode & FMODE_WRITE))
+		return -EBADF;
 	if (!(file->f_mode & FMODE_CAN_WRITE))
 		return -EINVAL;

[05/13] fs: check FMODE_WRITE in __kernel_write

Commit Message

Comments

Patch