On Mon, Jun 01, 2020 at 12:02:10PM -0700, Sargun Dhillon wrote: > On Sat, May 30, 2020 at 9:07 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote: > > > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote: > > > > > > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we > > > > move the put_user() after instead? I think cleanup would just be: > > > > replace_fd(fd, NULL, 0) > > > > > > Bollocks. > > > > > > Repeat after me: descriptor tables can be shared. There is no > > > "cleanup" after you've put something there. > > > > Right -- this is what I was trying to ask about, and why I didn't like > > the idea of just leaving the fd in the table on failure. But yeah, there > > is a race if the process is about to fork or something. > > > > So the choice here is how to handle the put_user() failure: > > > > - add the put_user() address to the new helper, as I suggest in [1]. > > (exactly duplicates current behavior) > > - just leave the fd in place (not current behavior: dumps a fd into > > the process without "agreed" notification). > > - do a double put_user (once before and once after), also in [1]. > > (sort of a best-effort combo of the above two. and SCM_RIGHTS is > > hardly fast-pth). > > > > -Kees > > > > [1] https://lore.kernel.org/linux-api/202005282345.573B917@keescook/ > > > > -- > > Kees Cook > > I'm going to suggest we stick to the approach of doing[1]: > 1. Allocate FD > 2. put_user > 3. "Receive" and install file into FD > > That is the only way to preserve the current behaviour in which userspace > is notified about *every* FD that is received via SCM_RIGHTS. The > scm_detach_fds code as it reads today does effectively what is above, > in that the fd is not installed until *after* the put user. Therefore > if put_user > gets an EFAULT or ENOMEM, it falls through to the MSG_CTRUNC bit. > > The approach suggested[2] has a "change" in behaviour, in that (all in > file_receive): > 1. Allocate FD > 2. Receive file > 3. put_user > > Based on what Al Viro said, I don't think we can simply add step #4, > being "just" uninstall the FD. > > [1]: https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg2179418.html > [2]: https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg2179453.html Agreed. Thanks! -- Kees Cook _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
