Re: [PATCH 3/4] devpts: Make the newinstance option historical

ebiederm@xxxxxxxxxxxx (Eric W. Biederman) · Sat, 22 Sep 2012 22:59:04 -0700

Al Viro <viro@xxxxxxxxxxxxxxxxxx> writes:

> On Sat, Sep 22, 2012 at 08:50:44PM -0700, Eric W. Biederman wrote:
>
>> +struct inode *devpts_redirect(struct file *filp)
>> +{
>> +	struct inode *inode;
>> +	struct file *filp2;
>> +
>> +	/* Is the inode already a devpts inode? */
>> +	inode = filp->f_dentry->d_inode;
>> +	if (filp->f_dentry->d_sb->s_magic == DEVPTS_SUPER_MAGIC)
>> +		goto out;
>> +
>> +	/* Is f_dentry->d_parent usable? */
>> +	inode = ERR_PTR(-ENODEV);
>> +	if (filp->f_vfsmnt->mnt_root == filp->f_dentry)
>> +		goto out;
>> +
>> +	/* Is there a devpts inode we can use instead? */
>> +	
>> +	filp2 = file_open_root(filp->f_dentry->d_parent, filp->f_vfsmnt,
>> +			       "pts/ptmx", O_PATH);
>> +	if (!IS_ERR(filp2)) {
>> +		if (filp2->f_dentry->d_sb->s_magic == DEVPTS_SUPER_MAGIC) {
>> +			struct path old;
>> +			old = filp->f_path;
>> +			filp->f_path = filp2->f_path;
>> +			inode = filp->f_dentry->d_inode;
>> +			path_get(&filp->f_path);
>> +			path_put(&old);
>
> You are welcome to supply an analysis of the reasons why ->open() pulling
> such tricks will not break all kinds of code in VFS.

>> +		}
>> +		fput(filp2);
>
> ... starting with "what happens when some joker binds /dev/ptmx on
> /dev/pts/ptmx"

The test:
>> +	if (filp->f_vfsmnt->mnt_root == filp->f_dentry)
kicks in and no redirection is performed.

> Or does mknod /tmp/ptmx c 5 2; mkdir /tmp/pts; ln /tmp/ptmx /tmp/pts/ptmx,
> for that matter...

The test:
>> +		if (filp2->f_dentry->d_sb->s_magic == DEVPTS_SUPER_MAGIC) {n
fails and no redirection is performed.

> NAK.  This violates asserts made by VFS (namely, that ->f_path is not
> changed since dentry_open() has set it and until __fput() rips the thing
> out) *and* by your own code (attack mentioned above, just from looking
> at it for a minute).  Far too brittle...

This code seems much more robust than your quick analysis.

But if the constraint that the path in struct file must not be
changed between dentry_open and __fput that is doable to it just
needs a little more reorganizing of the data structures.  It is
definitely not a fundamental limitation.

Eric

_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers