From patchwork Wed Aug 8 15:14:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 10560165 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5267F15A6 for ; Wed, 8 Aug 2018 15:14:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FC382B07C for ; Wed, 8 Aug 2018 15:14:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 32D3B2B097; Wed, 8 Aug 2018 15:14:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 072DD2B07C for ; Wed, 8 Aug 2018 15:14:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727314AbeHHReq (ORCPT ); Wed, 8 Aug 2018 13:34:46 -0400 Received: from mail-yw1-f66.google.com ([209.85.161.66]:38084 "EHLO mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726875AbeHHRep (ORCPT ); Wed, 8 Aug 2018 13:34:45 -0400 Received: by mail-yw1-f66.google.com with SMTP id r3-v6so1793850ywc.5 for ; Wed, 08 Aug 2018 08:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rtEpHqiRfuKNza9HRFTu6lhxpwRKsOsi40RhQ42XFT8=; b=a1hT8MqwDV8yR7ovB+hSxM9qWjO2kY/VsttoXzeFa2uDvbxPOGNMZAbhGOrf+fBRi3 Q8Z5hp8MR3KZCaqFCGbhCQR3+kJDMv/XWHzvopmy2q45QQcqDgE7GLCTZMNSithQeYaZ 5O2YEZ5KdGtTzS2tiwPZnfEBq3Zaj2FVwKHKBXcE2o13v0iAPBtrk3RnX4NPb/pe0NW3 MFxkw4cCr6iMi+tzR/gyevCUVQOEb676MmMRSaJjwPK/Oe/KafE1E6nEKfPMEXGrPizx NpQbrrqHyp6TDo1hYJJIA6glwV6mSmjON5fwIEJMwwKLEH1fYKHbqlfGxKbpb22Xs/le 6J+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rtEpHqiRfuKNza9HRFTu6lhxpwRKsOsi40RhQ42XFT8=; b=P8PCxs6ZR+HMdi3HTfdI10vluwK0YMMQ591AKmuPnp8QpIjRRISQI8bH5vd6Rv7RGY 5opWkdGFxAeWqYz15sw75u9tqfF0wrH6l5pOValQx+fb9GDX4MFem3RqiqoxNcRqmKiS 5RHXe37COlNNiRmMSl1mAoDc+Vc5hGBQieXTIuTBoWxs9N4PGRD9dSYTCvipbTEZ6PuK 48fTOE6+H/rIibYnUImoC+9/Xijzx4VNxw7JEGzKk739SO2jtFpeqRJIbfKhsAA+H1PI 6Kr9lcXRercTuA2LnC+SAXr9SAxa2Rsdp4/nG6UET4csolRAgd0jOMnnKwcB03ZV7ENq gSBw== X-Gm-Message-State: AOUpUlFiDFVVQSvvpYwlbqNwM3We/c+2k07bOkSfuli6y+P51AIWgXVz MrHuTtfR/GcLyV5ljDxqX+0YXVeQuI1xedgbZA0= X-Google-Smtp-Source: AA+uWPx8HMWjNNAGzGZrMTqi8rbZtZuY19amBlvNiSK9XEoWqxvpaVNdWxupGxJCPUPgtxIjyDcK9kkukaUoH7TkQmk= X-Received: by 2002:a25:6b4d:: with SMTP id o13-v6mr1634289ybm.138.1533741279065; Wed, 08 Aug 2018 08:14:39 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a81:7dc5:0:0:0:0:0 with HTTP; Wed, 8 Aug 2018 08:14:38 -0700 (PDT) In-Reply-To: <1532071800.19245.5.camel@mtkswgap22> References: <1532071800.19245.5.camel@mtkswgap22> From: Amir Goldstein Date: Wed, 8 Aug 2018 17:14:38 +0200 Message-ID: Subject: Fwd: [PATCH v3] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() To: "Eric W. Biederman" Cc: "Eddie.Horng" , "Serge E. Hallyn" , Linux Containers , LSM List , Andrew Morton Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hi Eric, Seems like you have been AFK for a while. Will you be able to queue this v4.14 regression fix for 4.19? Eddie is already working on upstreaming an LTP test for the regression. The fix has been ACKed by Serge and myself. Andrew, If Eric fails to respond timely, could you pick up this fix via -mm? Thanks, Amir. ---------- Forwarded message ---------- From: Eddie.Horng Date: Fri, Jul 20, 2018 at 9:30 AM Subject: [PATCH v3] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() To: LSM List Cc: stable@vger.kernel.org, Amir Goldstein , "Eric W. Biederman" , "Serge E. Hallyn" , Eddie Horng The code in cap_inode_getsecurity(), introduced by commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"), should use d_find_any_alias() instead of d_find_alias() do handle unhashed dentry correctly. This is needed, for example, if execveat() is called with an open but unlinked overlayfs file, because overlayfs unhashes dentry on unlink. This is a regression of real life application, first reported at https://www.spinics.net/lists/linux-unionfs/msg05363.html Below reproducer and setup can reproduce the case. const char* exec="echo"; const char *newargv[] = { "echo", "hello", NULL}; const char *newenviron[] = { NULL }; int fd, err; fd = open(exec, O_PATH); unlink(exec); err = syscall(322/*SYS_execveat*/, fd, "", newargv, newenviron, AT_EMPTY_PATH); if(err<0) fprintf(stderr, "execveat: %s\n", strerror(errno)); gcc compile into ~/test/a.out mount -t overlay -orw,lowerdir=/mnt/l,upperdir=/mnt/u,workdir=/mnt/w none /mnt/m cd /mnt/m cp /bin/echo . ~/test/a.out Expected result: hello Actually result: execveat: Invalid argument dmesg: Invalid argument reading file caps for /dev/fd/3 The 2nd reproducer and setup emulates similar case but for regular filesystem: const char* exec="echo"; int fd, err; char buf[256]; fd = open(exec, O_RDONLY); unlink(exec); err = fgetxattr(fd, "security.capability", buf, 256); if(err<0) fprintf(stderr, "fgetxattr: %s\n", strerror(errno)); gcc compile into ~/test_fgetxattr cd /tmp cp /bin/echo . ~/test_fgetxattr Result: fgetxattr: Invalid argument On regular filesystem, for example, ext4 read xattr from disk and return to execveat(), will not trigger this issue, however, the overlay attr handler pass real dentry to vfs_getxattr() will. This reproducer calls fgetxattr() with an unlinked fd, involkes vfs_getxattr() then reproduced the case that d_find_alias() in cap_inode_getsecurity() can't find the unlinked dentry. Suggested-by: Amir Goldstein Acked-by: Amir Goldstein Acked-by: Serge E. Hallyn Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") Cc: # v4.14 Signed-off-by: Eddie Horng --- Changes in v2: - fix commit message wrapped at 74 chars - added previous acked-by --- Changes in v3: - added original case report link - added 2nd reproducer for regular filesystems - added acked-by Serge E. Hallyn - add Cc --- security/commoncap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.12.5 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/security/commoncap.c b/security/commoncap.c index 1ce701fcb3f3..147f6131842a 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -388,7 +388,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer, if (strcmp(name, "capability") != 0) return -EOPNOTSUPP; - dentry = d_find_alias(inode); + dentry = d_find_any_alias(inode); if (!dentry) return -EINVAL;