On Thu, May 4, 2017 at 9:39 PM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > On Thu, May 04, 2017 at 08:46:49PM -0700, Linus Torvalds wrote: >> On Thu, May 4, 2017 at 7:47 PM, Jann Horn <jannh@xxxxxxxxxx> wrote: >> > >> > Thread 1 starts an AT_BENEATH path walk using an O_PATH fd >> > pointing to /srv/www/example.org/foo; the path given to the syscall is >> > "bar/../../../../etc/passwd". The path walk enters the "bar" directory. >> > Thread 2 moves /srv/www/example.org/foo/bar to >> > /srv/www/example.org/bar. >> > Thread 1 processes the rest of the path ("../../../../etc/passwd"), never >> > hitting /srv/www/example.org/foo in the process. >> > >> > I'm not really familiar with the VFS internals, but from a coarse look >> > at the patch, it seems like it wouldn't block this? >> >> I think you're right. >> >> I guess it would be safe for the RCU case due to the sequence number >> check, but not the non-RCU case. > > Yes and no... FWIW, to exclude that it would suffice to have > mount --rbind /src/www/example.org/foo /srv/www/example.org/foo done first. > Then this kind of race will end up with -ENOENT due to path_connected() > logics in follow_dotdot_rcu()/follow_dotdot(). I'm not sure about the > intended applications, though - is that thing supposed to be used along with > some horror like seccomp, or...? How hard would it be for the kernel to prevent this on its own? Asking users to do the mount --rbind seems like it's asking for users to forget to do it. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html