From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5AFFC433F5 for ; Wed, 18 May 2022 19:27:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0A0D46B0072; Wed, 18 May 2022 15:27:13 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 050D66B0073; Wed, 18 May 2022 15:27:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E5B7F6B0074; Wed, 18 May 2022 15:27:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id D2E706B0072 for ; Wed, 18 May 2022 15:27:12 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id B371A328B6 for ; Wed, 18 May 2022 19:27:12 +0000 (UTC) X-FDA: 79479847104.07.6D7E17F Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf30.hostedemail.com (Postfix) with ESMTP id 443FC800D1 for ; Wed, 18 May 2022 19:26:48 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3B8D961909; Wed, 18 May 2022 19:27:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68640C385A9; Wed, 18 May 2022 19:27:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1652902030; bh=lmUg0JefmHdOdMZIz8mwoSC0s8SSSv+qaPcEDU25+Mo=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=rHjG0g/e43nPj6fRg3NPpB8iajmZa0UDhf7m2CKsB260KAX9zav9wA5OXgAWAh0eP Nsr25+VbQh4yxYdueRXagZyR5i8ra1bh7olbnnTgmpzyTd5EWZg7BAyUDQCAwmZsFO covqEzrK+gPjFBXVWNJ2vivUTv/d9/qVrBnZT4iM= Date: Wed, 18 May 2022 12:27:09 -0700 From: Andrew Morton To: Kees Cook Cc: Zhihao Cheng , viro@zeniv.linux.org.uk, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, yukuai3@huawei.com Subject: Re: [PATCH -next] exec: Remove redundant check in do_open_execat/uselib Message-Id: <20220518122709.7fb5176967fb69324c260853@linux-foundation.org> In-Reply-To: <202205181215.D448675BEA@keescook> References: <20220518081227.1278192-1-chengzhihao1@huawei.com> <20220518104601.fc21907008231b60a0e54a8e@linux-foundation.org> <202205181215.D448675BEA@keescook> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: 443FC800D1 X-Stat-Signature: urkn17x8rb6wdkjn9kyi3hw8cjfdj6ww Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b="rHjG0g/e"; spf=pass (imf30.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org; dmarc=none X-HE-Tag: 1652902008-550338 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 18 May 2022 12:17:45 -0700 Kees Cook wrote: > > > - /* > > > - * may_open() has already checked for this, so it should be > > > - * impossible to trip now. But we need to be extra cautious > > > - * and check again at the very end too. > > > - */ > > > - error = -EACCES; > > > - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || > > > - path_noexec(&file->f_path))) > > > - goto exit; > > > - > > > > Maybe we should retain the `goto exit'. The remount has now occurred, > > so the execution attempt should be denied. If so, the comment should > > be updated to better explain what's happening. > > > > I guess we'd still be racy against `mount -o exec', but accidentally > > denying something seems less serious than accidentally permitting it. > > I'd like to leave this as-is, since we _do_ want to find the cases where > we're about to allow an exec and a very important security check was NOT > handled. In which case we don't want the "_ONCE". If some app is hammering away at this trying to hit a race window then the operator wants that log flood. Or,umm, fix the dang race?