From: Vasiliy Kulikov <segoon@openwall.com>
To: musl@lists.openwall.com
Subject: Re: some fixes to musl
Date: Sun, 24 Jul 2011 13:39:11 +0400 [thread overview]
Message-ID: <20110724093911.GB6076@albatros> (raw)
In-Reply-To: <20110722020820.GD132@brightrain.aerifal.cx>
On Thu, Jul 21, 2011 at 22:08 -0400, Rich Felker wrote:
> On Thu, Jul 21, 2011 at 11:17:04PM +0400, Vasiliy Kulikov wrote:
> > On Thu, Jul 21, 2011 at 14:21 -0400, Rich Felker wrote:
> > > > fdopendir():
> > > > - POSIX defines EBADF if fd is invalid. I suppose it is OK
> > > > to assume fd is invalid if fstat() failed.
> > >
> > > fstat will already set errno to EBADF if appropriate.
> >
> > I think it's wrong. *stat(2) calls LSM hook, which may fail and return
> > arbitrary error. I wish there were *explicit* rules of LSMs what
> > restrictions hooks have got. But I don't know any similar documentation
> > :( So, I assume the theoretically worst case - any LSM hook may return
> > arbitrary error. Yes, it might break many implicit assumptions, etc.
>
> It should be obvious that a bogus LSM will create gaping security
> holes if it's allowed such power.
I don't say such handling is perfect, just want to show it can be
somehow justified:
Most of LSM hooks maintain some security context associated with
file/task/socket/etc. Some actions may require (re)allocation of this
context. If the allocation fails (e.g. OOM), it's wrong to allow the
task to continue the work with the object, which has an outdated context
(not updated against some recent activity). So, unexpected ENOMEM is
returned.
Such allocation may be a result of e.g. asynchronous logging or
statistics update.
I totally agree with you that injecting such faults where a program doesn't
expect it is wrong, but sometimes it can be not obvious for kernel
developers that it breaks something. Even if they don't want to
introduce such cases, it can be unintendedly introduced by a bug
(e.g. sendmail setuid vulnerability). Such bugs may be tricky to catch
and may appear in very rare situations. Trying to catch such cases would
make the program much more robust against kernel bugs/changes (unless the
error handling code complicates the whole logic and/or is not well
tested).
Thanks,
--
Vasiliy
next prev parent reply other threads:[~2011-07-24 9:39 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-21 17:02 Vasiliy Kulikov
2011-07-21 18:21 ` Rich Felker
2011-07-21 19:00 ` Solar Designer
2011-07-22 8:19 ` Vasiliy Kulikov
2011-07-22 13:30 ` Rich Felker
2011-07-21 19:17 ` Vasiliy Kulikov
2011-07-22 2:08 ` Rich Felker
2011-07-24 9:39 ` Vasiliy Kulikov [this message]
2011-07-24 12:56 ` Rich Felker
2011-07-24 18:38 ` Vasiliy Kulikov
2011-07-24 9:19 ` close(2) failure cases (was: some fixes to musl) Vasiliy Kulikov
2011-07-24 12:24 ` Rich Felker
2011-07-24 17:49 ` Vasiliy Kulikov
2011-07-24 22:29 ` Rich Felker
2011-07-25 17:36 ` Vasiliy Kulikov
2011-07-22 1:57 ` some fixes to musl Rich Felker
2011-07-22 4:30 ` Rich Felker
2011-07-22 8:26 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110724093911.GB6076@albatros \
--to=segoon@openwall.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).