On Thu, Nov 28, 2019 at 8:18 PM Jann Horn wrote: > On Thu, Nov 28, 2019 at 11:07 AM Jann Horn wrote: > > On Thu, Nov 28, 2019 at 10:02 AM Rasmus Villemoes > > wrote: > > > On 28/11/2019 00.27, Jann Horn wrote: > > > > > > > One more thing, though: We'll have to figure out some way to > > > > invalidate the fd when the target goes through execve(), in particular > > > > if it's a setuid execution. Otherwise we'll be able to just steal > > > > signals that were intended for the other task, that's probably not > > > > good. > > > > > > > > So we should: > > > > a) prevent using ->wait() on an old signalfd once the task has gone > > > > through execve() > > > > b) kick off all existing waiters > > > > c) most importantly, prevent ->read() on an old signalfd once the > > > > task has gone through execve() > > > > > > > > We probably want to avoid using the cred_guard_mutex here, since it is > > > > quite broad and has some deadlocking issues; it might make sense to > > > > put the update of ->self_exec_id in fs/exec.c under something like the > > > > siglock, > > > > > > What prevents one from exec'ing a trivial helper 2^32-1 times before > > > exec'ing into the victim binary? > > > > Uh, yeah... that thing should probably become 64 bits wide, too. > > Actually, that'd still be wrong even with the existing kernel code for > two reasons: > > - if you reparent to a subreaper, the existing exec_id comparison breaks > - the new check here is going to break if a non-leader thread goes > through execve(), because of the weird magic where the thread going > through execve steals the thread id (PID) of the leader > > I'm gone for the day, but will try to dust off the years-old patch for > this that I have lying around somewhere tomorrow. I should probably > send it through akpm's tree with cc stable, given that this is already > kinda broken in existing releases... I'm taking that back, given that I was wrong when writing this mail. But I've attached the old patch, in case you want to reuse it. That cpu-plus-64-bits scheme was Andy Lutomirski's idea. If you use that, you'd have to take the cred_guard_mutex for ->poll and ->read, but I guess that's probably fine for signalfd.