On Fri 30-05-25 16:20:39, Mickaël Salaün wrote:

On Thu, May 29, 2025 at 10:05:59AM -0700, Song Liu wrote:

quoted

On Thu, May 29, 2025 at 9:57 AM Alexei Starovoitov
[off-list ref] wrote:
[...]

quoted

quoted

How about we describe this as:

Introduce a path iterator, which safely (no crash) walks a struct path.
Without malicious parallel modifications, the walk is guaranteed to
terminate. The sequence of dentries maybe surprising in presence
of parallel directory or mount tree modifications and the iteration may
not ever finish in face of parallel malicious directory tree manipulations.

Hold on. If it's really the case then is the landlock susceptible
to this type of attack already ?
landlock may infinitely loop in the kernel ?

I think this only happens if the attacker can modify the mount or
directory tree as fast as the walk, which is probably impossible
in reality.

Yes, so this is not an infinite loop but an infinite race between the
kernel and a very fast malicious user space process with an infinite
number of available nested writable directories, that would also require
a filesystem (and a kernel) supporting infinite pathname length.

Well, you definitely don't need infinite pathname length. Example:

Have a dir hierarchy like:

  A
 / \
B   C
|
D

Start iterating from A/B/D, you climb up to A/B. In parallel atacker does:

mv A/B/ A/C/; mkdir A/B

Now by following parent you get to A/C. In parallel attaker does:

mv A/C/ A/B/; mkdir A/C

And now you are essentially where you've started so this can repeat
forever.

As others wrote this particular timing might be hard enough to hit for it
to not be a practical attack but I would not bet much on somebody not being
able to invent some variant that works, in particular with BPF iterator.

								Honza
-- 
Jan Kara [off-list ref]
SUSE Labs, CR