On Wed, Aug 7, 2024 at 5:38 AM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> On Tue, Aug 06, 2024 at 06:09:43PM +0200, Mateusz Guzik wrote:
>
> > It is supposed to indicate that both nd->path.mnt and nd->path.dentry
> > are no longer usable and must not even be looked at. Ideally code
> > which *does* look at them despite the flag (== there is a bug) traps.
> >
> > However, I did not find a handy macro or anything of the sort to
> > "poison" these pointers. Instead I found tons of NULL checks all over,
> > including in lookup clean up.
>
> Unless I'm misreading you, those existing NULLs have nothing to do with
> poisoning of any sort. Or any kind of defensive programming, while we are
> at it. Those are about the cleanups on failed transition from lazy mode;
> if we have already legitimized some of the references (i.e. bumped the
> refcounts there) by the time we'd run into a stale one, we need to drop
> the ones we'd grabbed on the way out. And the easiest way to do that
> is to leave that until terminate_walk(), when we'll be out of RCU mode.
> The references that were *NOT* grabbed obviously should be left alone
> rather than dropped. Which is where those NULL assignments come from.
Yes, this is my understanding of the code and part of my compliant. :)
Things just work(tm) as is with NULLified pointers, but this is error-prone.
I was looking for an equivalent of the following feature from $elsewhere:
/*
* Trap accesses going through a pointer. Moreover if kasan is available trap
* reading the pointer itself.
*
* Sample usage: you have a struct with numerous fields and by API contract
* only some of them get populated, even if the implementation temporary writes
* to them. You can use DEBUG_POISON_POINTER so that the consumer which should
* no be looking at the field gets caught.
*
* DEBUG_POISON_POINTER(obj->ptr);
* ....
* if (obj->ptr != NULL) // traps with kasan, does not trap otherwise
* ....
* if (obj->ptr->field) // traps with and without kasan
*/
extern caddr_t poisoned_buf;
#define DEBUG_POISON_POINTER_VALUE poisoned_buf
#define DEBUG_POISON_POINTER(x) ({ \
x = (void *)(DEBUG_POISON_POINTER_VALUE); \
kasan_mark(&x, 0, sizeof(x), KASAN_GENERIC_REDZONE); \
})
As a hypothetical suppose there is code executing some time after
vfs_open which looks at nd->path.dentry and by finding the pointer is
NULL it concludes the lookup did not work out.
If such code exists *and* the pointer is poisoned in the above sense
(notably merely branching on it with kasan already traps), then the
consumer will be caught immediately during coverage testing by
syzkaller.
If such code exists but the pointer is only nullified, one is only
going to find out the hard way when some functionality weirdly breaks.
Anyhow, this is really beyond the scope of the patch and I should not
have done the half-assed thing abandoned mid-effort. I'm going to get
back to this later(tm).
See the v2 which just gets to the point concerning eliding the extra ref trip.
--
Mateusz Guzik <mjguzik gmail.com>
