On Wed, Jun 10, 2020 at 08:12:38AM +0000, Sargun Dhillon wrote: > On Tue, Jun 09, 2020 at 10:27:54PM -0700, Kees Cook wrote: > > On Tue, Jun 09, 2020 at 11:27:30PM +0200, Christian Brauner wrote: > > > On June 9, 2020 10:55:42 PM GMT+02:00, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > >LOL. And while we were debating this, hch just went and cleaned stuff up: > > > > > > > >2618d530dd8b ("net/scm: cleanup scm_detach_fds") > > > > > > > >So, um, yeah, now my proposal is actually even closer to what we already > > > >have there. We just add the replace_fd() logic to __scm_install_fd() and > > > >we're done with it. > > > > > > Cool, you have a link? :) > > > > How about this: > > > Thank you. > > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=devel/seccomp/addfd/v3.1&id=bb94586b9e7cc88e915536c2e9fb991a97b62416 > > > > -- > > Kees Cook > > + if (ufd) { > + error = put_user(new_fd, ufd); > + if (error) { > + put_unused_fd(new_fd); > + return error; > + } > + } > I'm fairly sure this introduces a bug[1] if the user does: Ah, sorry, I missed this before I posted my "v3.2" tree link. > > struct msghdr msg = {}; > struct cmsghdr *cmsg; > struct iovec io = { > .iov_base = &c, > .iov_len = 1, > }; > > msg.msg_iov = &io; > msg.msg_iovlen = 1; > msg.msg_control = NULL; > msg.msg_controllen = sizeof(buf); > > recvmsg(sock, &msg, 0); > > They will have the FD installed, no error message, but FD number wont be written > to memory AFAICT. If two FDs are passed, you will get an efault. They will both > be installed, but memory wont be written to. Maybe instead of 0, make it a > poison pointer, or -1 instead? Hmmm. I see what you mean -- SCM_RIGHTS effectively _requires_ a valid __user pointer, so we can't use NULL to indicate "we don't want this". I'm not sure I can pass this through directly at all, though. > ----- > As an aside, all of this junk should be dropped: > + ret = get_user(size, &uaddfd->size); > + if (ret) > + return ret; > + > + ret = copy_struct_from_user(&addfd, sizeof(addfd), uaddfd, size); > + if (ret) > + return ret; > > and the size member of the seccomp_notif_addfd struct. I brought this up > off-list with Tycho that ioctls have the size of the struct embedded in them. We > should just use that. The ioctl definition is based on this[2]: > #define _IOC(dir,type,nr,size) \ > (((dir) << _IOC_DIRSHIFT) | \ > ((type) << _IOC_TYPESHIFT) | \ > ((nr) << _IOC_NRSHIFT) | \ > ((size) << _IOC_SIZESHIFT)) > > > We should just use copy_from_user for now. In the future, we can either > introduce new ioctl names for new structs, or extract the size dynamically from > the ioctl (and mask it out on the switch statement in seccomp_notify_ioctl. Okay, sounds good. > ---- > +#define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOR(3, \ > + struct seccomp_notif_addfd) > > Lastly, what I believe to be a small mistake, it should be SECCOMP_IOW, based on > the documentation in ioctl.h -- "_IOW means userland is writing and kernel is > reading." Okay, let me tweak things and get a "v3.3". ;) -- Kees Cook