On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote: > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote: > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we > > move the put_user() after instead? I think cleanup would just be: > > replace_fd(fd, NULL, 0) > > Bollocks. > > Repeat after me: descriptor tables can be shared. There is no > "cleanup" after you've put something there. Right -- this is what I was trying to ask about, and why I didn't like the idea of just leaving the fd in the table on failure. But yeah, there is a race if the process is about to fork or something. So the choice here is how to handle the put_user() failure: - add the put_user() address to the new helper, as I suggest in [1]. (exactly duplicates current behavior) - just leave the fd in place (not current behavior: dumps a fd into the process without "agreed" notification). - do a double put_user (once before and once after), also in [1]. (sort of a best-effort combo of the above two. and SCM_RIGHTS is hardly fast-pth). -Kees [1] https://lore.kernel.org/linux-api/202005282345.573B917@keescook/ -- Kees Cook
