[05/24] devtmpfs: open code ksys_chdir and ksys_chroot

Message ID	20200721162818.197315-6-hch@lst.de (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=I468=BA=vger.kernel.org=linux-fsdevel-owner@kernel.org> From: Christoph Hellwig <hch@lst.de> To: Al Viro <viro@zeniv.linux.org.uk>, Linus Torvalds <torvalds@linux-foundation.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, "Rafael J. Wysocki" <rafael@kernel.org>, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org Subject: [PATCH 05/24] devtmpfs: open code ksys_chdir and ksys_chroot Date: Tue, 21 Jul 2020 18:27:59 +0200 Message-Id: <20200721162818.197315-6-hch@lst.de> In-Reply-To: <20200721162818.197315-1-hch@lst.de> References: <20200721162818.197315-1-hch@lst.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk
Series	[01/24] fs: refactor do_mount \| expand [01/24] fs: refactor do_mount [02/24] fs: refactor ksys_umount [03/24] fs: push the getname from do_rmdir into the callers [04/24] devtmpfs: open code do_mount [05/24] devtmpfs: open code ksys_chdir and ksys_chroot [06/24] md: open code vfs_stat in md_setup_drive [07/24] init: initialize ramdisk_execute_command at compile time [08/24] init: move the prepare_namespace prototype to init/do_mounts.h [09/24] init: mark create_dev as __init [10/24] init: open code ksys_umount in handle_initrd [11/24] init: open code do_utimes in do_utime [12/24] init: add an init_mount helper [13/24] init: add an init_unlink helper [14/24] init: add an init_rmdir helper [15/24] init: add an init_chdir helper [16/24] init: add an init_chroot helper [17/24] init: add an init_chown helper [18/24] init: add an init_chmod helper [19/24] init: add an init_eaccess helper [20/24] init: add an init_link helper [21/24] init: add an init_symlink helper [22/24] init: add an init_mkdir helper [23/24] init: add an init_mknod helper [24/24] init: add an init_lstat helper

Message ID

20200721162818.197315-6-hch@lst.de (mailing list archive)

State

New, archived

Headers

From: Christoph Hellwig <hch@lst.de>
To: Al Viro <viro@zeniv.linux.org.uk>,
        Linus Torvalds <torvalds@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "Rafael J. Wysocki" <rafael@kernel.org>,
        linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org
Subject: [PATCH 05/24] devtmpfs: open code ksys_chdir and ksys_chroot
Date: Tue, 21 Jul 2020 18:27:59 +0200
Message-Id: <20200721162818.197315-6-hch@lst.de>
In-Reply-To: <20200721162818.197315-1-hch@lst.de>
References: <20200721162818.197315-1-hch@lst.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Series

[01/24] fs: refactor do_mount | expand

Commit Message

Christoph Hellwig July 21, 2020, 4:27 p.m. UTC

devtmpfs is the only non-early init caller of ksys_chdir and ksys_chroot
with kernel pointers.  Just open code the two operations which only
really need a single path lookup anyway in devtmpfs_setup instead.
The open coded verson doesn't need any of the stale dentry revalidation
logic from the full blown version as those can't happen on tmpfs and
ramfs.

Signed-off-by: Christoph Hellwig <hch@lst.de>
---
 drivers/base/devtmpfs.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comments

Linus Torvalds July 21, 2020, 4:49 p.m. UTC | #1

On Tue, Jul 21, 2020 at 9:28 AM Christoph Hellwig <hch@lst.de> wrote:
>
> +
> +       /* traverse into overmounted root and then chroot to it */
> +       if (!kern_path("/..", LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path) &&
> +           !inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR) &&
> +           ns_capable(current_user_ns(), CAP_SYS_CHROOT) &&
> +           !security_path_chroot(&path)) {
> +               set_fs_pwd(current->fs, &path);
> +               set_fs_root(current->fs, &path);
> +       }
> +       path_put(&path);

This looks wrong.

You're doing "path_put()" even if kern_path() didn't succeed.

As far as I can tell, that will either put some uninitialized garbage
and cause an oops, or put something that has already been released by
the failure path.

Maybe that doesn't happen in practice in this case, but it's still
very very wrong.

Plus you shouldn't have those kinds of insanely complex if-statements
in the first place. That was what caused the bug - trying to be
clever, instead of writing clear code.

I'm not liking how I'm finding fundamental mistakes in patches that
_should_ be trivial conversions with no semantic changes.

               Linus

Al Viro July 21, 2020, 5:16 p.m. UTC | #2

On Tue, Jul 21, 2020 at 09:49:17AM -0700, Linus Torvalds wrote:
> On Tue, Jul 21, 2020 at 9:28 AM Christoph Hellwig <hch@lst.de> wrote:
> >
> > +
> > +       /* traverse into overmounted root and then chroot to it */
> > +       if (!kern_path("/..", LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path) &&
> > +           !inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR) &&
> > +           ns_capable(current_user_ns(), CAP_SYS_CHROOT) &&
> > +           !security_path_chroot(&path)) {
> > +               set_fs_pwd(current->fs, &path);
> > +               set_fs_root(current->fs, &path);
> > +       }
> > +       path_put(&path);
> 
> This looks wrong.

It is wrong.  kern_path() leaves *path unmodified in case of error, and
that struct path is uninitialized here.

Christoph Hellwig July 21, 2020, 6:26 p.m. UTC | #3

On Tue, Jul 21, 2020 at 06:16:27PM +0100, Al Viro wrote:
> On Tue, Jul 21, 2020 at 09:49:17AM -0700, Linus Torvalds wrote:
> > On Tue, Jul 21, 2020 at 9:28 AM Christoph Hellwig <hch@lst.de> wrote:
> > >
> > > +
> > > +       /* traverse into overmounted root and then chroot to it */
> > > +       if (!kern_path("/..", LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path) &&
> > > +           !inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR) &&
> > > +           ns_capable(current_user_ns(), CAP_SYS_CHROOT) &&
> > > +           !security_path_chroot(&path)) {
> > > +               set_fs_pwd(current->fs, &path);
> > > +               set_fs_root(current->fs, &path);
> > > +       }
> > > +       path_put(&path);
> > 
> > This looks wrong.
> 
> It is wrong.  kern_path() leaves *path unmodified in case of error, and
> that struct path is uninitialized here.

Yep.  Only saving grace is that the error just doesn't happen during
early init.

diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
index 5e8d677ee783bc..f798d3976b4052 100644
--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
@@ -25,6 +25,7 @@ 
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/kthread.h>
+#include <linux/fs_struct.h>
 #include <uapi/linux/mount.h>
 #include "base.h"
 
@@ -393,6 +394,7 @@  static int handle(const char *name, umode_t mode, kuid_t uid, kgid_t gid,
 
 static int devtmpfs_setup(void *p)
 {
+	struct path path;
 	int err;
 
 	err = ksys_unshare(CLONE_NEWNS);
@@ -401,8 +403,16 @@  static int devtmpfs_setup(void *p)
 	err = devtmpfs_do_mount("/");
 	if (err)
 		goto out;
-	ksys_chdir("/.."); /* will traverse into overmounted root */
-	ksys_chroot(".");
+
+	/* traverse into overmounted root and then chroot to it */
+	if (!kern_path("/..", LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path) &&
+	    !inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR) &&
+	    ns_capable(current_user_ns(), CAP_SYS_CHROOT) &&
+	    !security_path_chroot(&path)) {
+		set_fs_pwd(current->fs, &path);
+		set_fs_root(current->fs, &path);
+	}
+	path_put(&path);
 out:
 	*(int *)p = err;
 	complete(&setup_done);

[05/24] devtmpfs: open code ksys_chdir and ksys_chroot

Commit Message

Comments

Patch