On Fri 30-05-25 16:20:39, Mickaël Salaün wrote: > On Thu, May 29, 2025 at 10:05:59AM -0700, Song Liu wrote: > > On Thu, May 29, 2025 at 9:57 AM Alexei Starovoitov > > <alexei.starovoitov@xxxxxxxxx> wrote: > > [...] > > > > > > > > How about we describe this as: > > > > > > > > Introduce a path iterator, which safely (no crash) walks a struct path. > > > > Without malicious parallel modifications, the walk is guaranteed to > > > > terminate. The sequence of dentries maybe surprising in presence > > > > of parallel directory or mount tree modifications and the iteration may > > > > not ever finish in face of parallel malicious directory tree manipulations. > > > > > > Hold on. If it's really the case then is the landlock susceptible > > > to this type of attack already ? > > > landlock may infinitely loop in the kernel ? > > > > I think this only happens if the attacker can modify the mount or > > directory tree as fast as the walk, which is probably impossible > > in reality. > > Yes, so this is not an infinite loop but an infinite race between the > kernel and a very fast malicious user space process with an infinite > number of available nested writable directories, that would also require > a filesystem (and a kernel) supporting infinite pathname length. Well, you definitely don't need infinite pathname length. Example: Have a dir hierarchy like: A / \ B C | D Start iterating from A/B/D, you climb up to A/B. In parallel atacker does: mv A/B/ A/C/; mkdir A/B Now by following parent you get to A/C. In parallel attaker does: mv A/C/ A/B/; mkdir A/C And now you are essentially where you've started so this can repeat forever. As others wrote this particular timing might be hard enough to hit for it to not be a practical attack but I would not bet much on somebody not being able to invent some variant that works, in particular with BPF iterator. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
