Re: [PATCH v3 2/2] vfs: avoid duplicating creds in faccessat if possible

[Al Viro]

On Thu, Mar 02, 2023 at 07:02:10PM +0000, Al Viro wrote:
> On Thu, Mar 02, 2023 at 06:43:39PM +0000, Al Viro wrote:
> > On Thu, Mar 02, 2023 at 07:22:17PM +0100, Mateusz Guzik wrote:
> > 
> > > Ops, I meant "names_cache", here:
> > > 	names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0,
> > > 			SLAB_HWCACHE_ALIGN|SLAB_PANIC, 0, PATH_MAX, NULL);
> > > 
> > > it is fs/dcache.c and I brainfarted into the above.
> > 
> > So you mean __getname() stuff?
> 
> The thing is, getname_flags()/getname_kernel() is not the only user of that
> thing; grep and you'll see (and keep in mind that cifs alloc_dentry_path()
> is a __getname() wrapper, with its own callers).  We might have bugs papered
> over^W^Whardened away^W^Wpapered over in some of those users.
> 
> I agree that getname_flags()/getname_kernel()/sys_getcwd() have no need of
> pre-zeroing; fw_get_filesystem_firmware(), ceph_mdsc_build_path(),
> [hostfs]dentry_name() and ima_d_path() seem to be safe.  So's
> vboxsf_path_from_dentry() (I think).  But with this bunch I'd need
> a review before I'd be willing to say "this security theatre buys us
> nothing here":

[snip the list]

PS: ripping this bandaid off might very well be the right thing to do, it's just
that "I'm confident there is 0 hardening benefit for it" needs a code review
is some moderately grotty places.  It's not too awful (e.g. in case of cifs
most of the callers are immediately followed by build_path_from_dentry(), which
stores the pathname in the end of page and returns the pointer to beginning
of initialized part; verifying that after that allocation + build_path we
only access the parts past the returned pointer until it's time to free the
buffer is not hard), but it's worth doing.