From: Luis Chamberlain <mcgrof@kernel.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
linux-kernel@vger.kernel.org, David Miller <davem@davemloft.net>,
Greg Kroah-Hartman <greg@kroah.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>, bpf <bpf@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Jakub Kicinski <kuba@kernel.org>,
Masahiro Yamada <yamada.masahiro@socionext.com>,
Gary Lin <GLin@suse.com>, Bruno Meneguele <bmeneg@redhat.com>,
LSM List <linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <christian.brauner@ubuntu.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH v3 10/16] exec: Remove do_execve_file
Date: Wed, 8 Jul 2020 13:32:50 +0000 [thread overview]
Message-ID: <20200708133250.GH4332@42.do-not-panic.com> (raw)
In-Reply-To: <87y2nugnnq.fsf@x220.int.ebiederm.org>
On Wed, Jul 08, 2020 at 08:08:09AM -0500, Eric W. Biederman wrote:
> Luis Chamberlain <mcgrof@kernel.org> writes:
>
> > On Wed, Jul 08, 2020 at 06:35:25AM +0000, Luis Chamberlain wrote:
> >> On Thu, Jul 02, 2020 at 11:41:34AM -0500, Eric W. Biederman wrote:
> >> > Now that the last callser has been removed remove this code from exec.
> >> >
> >> > For anyone thinking of resurrecing do_execve_file please note that
> >> > the code was buggy in several fundamental ways.
> >> >
> >> > - It did not ensure the file it was passed was read-only and that
> >> > deny_write_access had been called on it. Which subtlely breaks
> >> > invaniants in exec.
> >> >
> >> > - The caller of do_execve_file was expected to hold and put a
> >> > reference to the file, but an extra reference for use by exec was
> >> > not taken so that when exec put it's reference to the file an
> >> > underflow occured on the file reference count.
> >>
> >> Maybe its my growing love with testing, but I'm going to have to partly
> >> blame here that we added a new API without any respective testing.
> >> Granted, I recall this this patch set could have used more wider review
> >> and a bit more patience... but just mentioning this so we try to avoid
> >> new api-without-testing with more reason in the future.
> >>
> >> But more importantly, *how* could we have caught this? Or how can we
> >> catch this sort of stuff better in the future?
> >
> > Of all the issues you pointed out with do_execve_file(), since upon
> > review the assumption *by design* was that LSMs/etc would pick up issues
> > with the file *prior* to processing, I think that this file reference
> > count issue comes to my attention as the more serious issue which I
> > wish we could address *first* before this crusade.
> >
> > So I have to ask, has anyone *really tried* to give a crack at fixing
> > this refcount issue in a smaller way first? Alexei?
> >
> > I'm not opposed to the removal of do_execve_file(), however if there
> > is a reproducible crash / issue with the existing user, this sledge
> > hammer seems a bit overkill for older kernels.
>
> It does not matter for older kernels because there is exactly one user.
> That one user is just a place holder keeping the code alive until a real
> user comes along.
>
> For older kernels the solution is to just mark the bpfilter code broken
> in Kconfig and refuse to compile it. That is the trivial backportable
> fix if anyone wants one.
This seals the deal for me, thanks! Carry on, but hey, please add
yourself to MAINTAINERS too :)
Luis
next prev parent reply other threads:[~2020-07-08 13:32 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200625095725.GA3303921@kroah.com>
[not found] ` <778297d2-512a-8361-cf05-42d9379e6977@i-love.sakura.ne.jp>
[not found] ` <20200625120725.GA3493334@kroah.com>
[not found] ` <20200625.123437.2219826613137938086.davem@davemloft.net>
[not found] ` <CAHk-=whuTwGHEPjvtbBvneHHXeqJC=q5S09mbPnqb=Q+MSPMag@mail.gmail.com>
[not found] ` <87pn9mgfc2.fsf_-_@x220.int.ebiederm.org>
[not found] ` <87y2oac50p.fsf@x220.int.ebiederm.org>
2020-06-29 19:55 ` [PATCH v2 00/15] Make the user mode driver code a better citizen Eric W. Biederman
2020-06-29 19:56 ` [PATCH v2 01/15] umh: Capture the pid in umh_pipe_setup Eric W. Biederman
2020-06-29 19:57 ` [PATCH v2 02/15] umh: Move setting PF_UMH into umh_pipe_setup Eric W. Biederman
2020-06-29 19:57 ` [PATCH v2 03/15] umh: Rename the user mode driver helpers for clarity Eric W. Biederman
2020-06-29 19:59 ` [PATCH v2 04/15] umh: Remove call_usermodehelper_setup_file Eric W. Biederman
2020-06-29 20:00 ` [PATCH v2 05/15] umh: Separate the user mode driver and the user mode helper support Eric W. Biederman
2020-06-30 16:58 ` Linus Torvalds
2020-07-01 17:18 ` Eric W. Biederman
2020-07-01 17:42 ` Alexei Starovoitov
2020-06-29 20:01 ` [PATCH v2 06/15] umd: For clarity rename umh_info umd_info Eric W. Biederman
2020-06-29 20:02 ` [PATCH v2 07/15] umd: Rename umd_info.cmdline umd_info.driver_name Eric W. Biederman
2020-06-29 20:03 ` [PATCH v2 08/15] umd: Transform fork_usermode_blob into fork_usermode_driver Eric W. Biederman
2020-06-29 20:03 ` [PATCH v2 09/15] umh: Stop calling do_execve_file Eric W. Biederman
2020-06-29 20:04 ` [PATCH v2 10/15] exec: Remove do_execve_file Eric W. Biederman
2020-06-30 5:43 ` Christoph Hellwig
2020-06-30 12:14 ` Eric W. Biederman
2020-06-30 13:38 ` Christoph Hellwig
2020-06-30 14:28 ` Eric W. Biederman
2020-06-30 16:55 ` Alexei Starovoitov
2020-06-29 20:05 ` [PATCH v2 11/15] bpfilter: Move bpfilter_umh back into init data Eric W. Biederman
2020-06-29 20:06 ` [PATCH v2 12/15] umd: Track user space drivers with struct pid Eric W. Biederman
2020-06-29 20:06 ` [PATCH v2 13/15] bpfilter: Take advantage of the facilities of " Eric W. Biederman
2020-06-29 20:07 ` [PATCH v2 14/15] umd: Remove exit_umh Eric W. Biederman
2020-06-29 20:08 ` [PATCH v2 15/15] umd: Stop using split_argv Eric W. Biederman
2020-06-29 22:12 ` [PATCH v2 00/15] Make the user mode driver code a better citizen Alexei Starovoitov
2020-06-30 1:13 ` Eric W. Biederman
2020-06-30 6:16 ` Tetsuo Handa
2020-06-30 12:29 ` Eric W. Biederman
2020-06-30 13:21 ` Tetsuo Handa
2020-07-02 13:08 ` Eric W. Biederman
2020-07-02 13:40 ` Tetsuo Handa
2020-07-02 16:02 ` Eric W. Biederman
2020-07-03 13:19 ` Tetsuo Handa
2020-07-03 22:25 ` Eric W. Biederman
2020-07-04 6:57 ` Tetsuo Handa
2020-07-08 4:46 ` Eric W. Biederman
2020-06-30 16:52 ` Alexei Starovoitov
2020-07-01 17:12 ` Eric W. Biederman
2020-07-02 16:40 ` [PATCH v3 00/16] " Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 01/16] umh: Capture the pid in umh_pipe_setup Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 02/16] umh: Move setting PF_UMH into umh_pipe_setup Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 03/16] umh: Rename the user mode driver helpers for clarity Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 04/16] umh: Remove call_usermodehelper_setup_file Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 05/16] umh: Separate the user mode driver and the user mode helper support Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 06/16] umd: For clarity rename umh_info umd_info Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 07/16] umd: Rename umd_info.cmdline umd_info.driver_name Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 08/16] umd: Transform fork_usermode_blob into fork_usermode_driver Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 09/16] umh: Stop calling do_execve_file Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 10/16] exec: Remove do_execve_file Eric W. Biederman
2020-07-08 6:35 ` Luis Chamberlain
2020-07-08 12:41 ` Luis Chamberlain
2020-07-08 13:08 ` Eric W. Biederman
2020-07-08 13:32 ` Luis Chamberlain [this message]
2020-07-12 21:02 ` Pavel Machek
2020-07-02 16:41 ` [PATCH v3 11/16] bpfilter: Move bpfilter_umh back into init data Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 12/16] umd: Track user space drivers with struct pid Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 13/16] exit: Factor thread_group_exited out of pidfd_poll Eric W. Biederman
2020-07-03 20:30 ` Alexei Starovoitov
2020-07-03 21:37 ` Eric W. Biederman
2020-07-04 0:03 ` Alexei Starovoitov
2020-07-04 15:50 ` Christian Brauner
2020-07-07 17:09 ` Eric W. Biederman
2020-07-08 0:05 ` Daniel Borkmann
2020-07-08 3:50 ` Eric W. Biederman
2020-07-04 16:00 ` Christian Brauner
2020-07-02 16:41 ` [PATCH v3 14/16] bpfilter: Take advantage of the facilities of struct pid Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 15/16] umd: Remove exit_umh Eric W. Biederman
2020-07-02 16:41 ` [PATCH v3 16/16] umd: Stop using split_argv Eric W. Biederman
2020-07-02 23:51 ` [PATCH v3 00/16] Make the user mode driver code a better citizen Tetsuo Handa
2020-07-09 22:05 ` [merged][PATCH " Eric W. Biederman
2020-07-14 19:42 ` Alexei Starovoitov
2020-07-08 5:20 ` [PATCH v2 00/15] " Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200708133250.GH4332@42.do-not-panic.com \
--to=mcgrof@kernel.org \
--cc=GLin@suse.com \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bmeneg@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=christian.brauner@ubuntu.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).