From: ebiederm@xmission.com (Eric W. Biederman)
To: Jann Horn <jannh@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Adam Zabrocki <pi3@pi3.com.pl>,
kernel list <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Oleg Nesterov <oleg@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
Bernd Edlinger <bernd.edlinger@hotmail.de>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH] signal: Extend exec_id to 64bits
Date: Thu, 02 Apr 2020 09:14:38 -0500 [thread overview]
Message-ID: <87y2rekm9d.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAG48ez1dCPw9Dep-+GWn=SnHv1nVv4Npv1FpFxmomk6tmazB-g@mail.gmail.com> (Jann Horn's message of "Thu, 2 Apr 2020 06:46:49 +0200")
Jann Horn <jannh@google.com> writes:
> On Wed, Apr 1, 2020 at 10:50 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Replace the 32bit exec_id with a 64bit exec_id to make it impossible
>> to wrap the exec_id counter. With care an attacker can cause exec_id
>> wrap and send arbitrary signals to a newly exec'd parent. This
>> bypasses the signal sending checks if the parent changes their
>> credentials during exec.
>>
>> The severity of this problem can been seen that in my limited testing
>> of a 32bit exec_id it can take as little as 19s to exec 65536 times.
>> Which means that it can take as little as 14 days to wrap a 32bit
>> exec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7
>> days. Even my slower timing is in the uptime of a typical server.
>
> FYI, if you actually optimize this, it's more like 12s to exec 1048576
> times according to my test, which means ~14 hours for 2^32 executions
> (on a single core). That's on an i7-4790 (a Haswell desktop processor
> that was launched about six years ago, in 2014).
Half a day. I am not at all surprised, but it is good to know it can
take so little time.
Eric
next prev parent reply other threads:[~2020-04-02 14:17 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 21:50 Curiosity around 'exec_id' and some problems associated with it Adam Zabrocki
2020-03-29 22:43 ` Kees Cook
2020-03-30 8:34 ` Oleg Nesterov
2020-03-31 4:29 ` Adam Zabrocki
2020-04-01 20:47 ` [PATCH] signal: Extend exec_id to 64bits Eric W. Biederman
2020-04-01 20:55 ` Linus Torvalds
2020-04-01 21:03 ` Eric W. Biederman
2020-04-01 23:37 ` Jann Horn
2020-04-01 23:51 ` Linus Torvalds
2020-04-01 23:55 ` Linus Torvalds
2020-04-02 1:35 ` Jann Horn
2020-04-02 2:05 ` Linus Torvalds
2020-04-02 13:11 ` Eric W. Biederman
2020-04-02 18:06 ` Linus Torvalds
2020-04-02 4:46 ` Jann Horn
2020-04-02 14:14 ` Eric W. Biederman [this message]
2020-04-03 2:11 ` Adam Zabrocki
2020-04-02 7:19 ` Kees Cook
2020-04-02 7:22 ` Bernd Edlinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y2rekm9d.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=bernd.edlinger@hotmail.de \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=pi3@pi3.com.pl \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).