On Fri, Oct 09, 2020 at 06:29:13PM -0700, Linus Torvalds wrote: > On Fri, Oct 9, 2020 at 6:19 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > Okay, that makes more sense. So the patchset from Matthew > > https://lkml.kernel.org/linux-fsdevel/20201003025534.21045-1-willy@xxxxxxxxxxxxx/T/#u > > isn't what you had in mind. > > No. > > That first patch makes sense - it's just the "ppos can be NULL" patch. > > But as mentioned, NULL isn't "shorthand for zero". It's just "pipes > don't _have_ a pos, trying to pass in some explicit position is > crazy". > > So no, the other patches in that set are a bit odd, I think. > > SOME of them look potentially fine - the bpfilter one seems to be > valid, for example, because it's literally about reading/writing a > pipe. And maybe the sysctl one is similarly sensible - I didn't check > the context of that one. FWIW, I hadn't pushed that branch out (or merged it into #for-next yet); for one thing, uml part (mconsole) is simply broken, for another... IMO ##5--8 are asking for kernel_pread() and if you look at binfmt_elf.c, you'll see elf_read() being pretty much that. acct.c, keys and usermode parts are asking for kernel_pwrite() as well. I've got stuck looking through the drivers/target stuff - it would've been another kernel_pwrite() candidate, but it smells like its use of filp_open() is really asking for trouble, starting with symlink attacks. Not sure - I'm not familiar with the area, but...
