From: Christian Brauner <christian.brauner@ubuntu.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
criu@openvz.org, bpf@vger.kernel.org,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Oleg Nesterov" <oleg@redhat.com>,
"Cyrill Gorcunov" <gorcunov@gmail.com>,
"Jann Horn" <jann@thejh.net>, "Kees Cook" <keescook@chromium.org>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Jeff Layton" <jlayton@redhat.com>,
"Miklos Szeredi" <miklos@szeredi.hu>,
"Matthew Wilcox" <willy@debian.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
"Matthew Wilcox" <matthew@wil.cx>,
"Trond Myklebust" <trond.myklebust@fys.uio.no>,
"Chris Wright" <chrisw@redhat.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Martin KaFai Lau" <kafai@fb.com>,
"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
"Andrii Nakryiko" <andriin@fb.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"KP Singh" <kpsingh@chromium.org>
Subject: Re: [PATCH 01/17] exec: Move unshare_files to fix posix file locking during exec
Date: Tue, 18 Aug 2020 12:04:20 +0200 [thread overview]
Message-ID: <20200818100420.akdocgojdjhmq5z6@wittgenstein> (raw)
In-Reply-To: <20200817220425.9389-1-ebiederm@xmission.com>
On Mon, Aug 17, 2020 at 05:04:09PM -0500, Eric W. Biederman wrote:
> Many moons ago the binfmts were doing some very questionable things
> with file descriptors and an unsharing of the file descriptor table
> was added to make things better[1][2]. The helper steal_files was
> added to avoid breaking the userspace programs[3][4][6].
>
> Unfortunately it turned out that steal_locks did not work for network
> file systems[5], so it was removed to see if anyone would
> complain[7][8]. It was thought at the time that NPTL would not be
> affected as the unshare_files happened after the other threads were
> killed[8]. Unfortunately because there was an unshare_files in
> binfmt_elf.c before the threads were killed this analysis was
> incorrect.
>
> This unshare_files in binfmt_elf.c resulted in the unshares_files
> happening whenever threads were present. Which led to unshare_files
> being moved to the start of do_execve[9].
>
> Later the problems were rediscovered and suggested approach was to
> readd steal_locks under a different name[10]. I happened to be
> reviewing patches and I noticed that this approach was a step
> backwards[11].
>
> I proposed simply moving unshare_files[12] and it was pointed
> out that moving unshare_files without auditing the code was
> also unsafe[13].
>
> There were then several attempts to solve this[14][15][16] and I even
> posted this set of changes[17]. Unfortunately because auditing all of
> execve is time consuming this change did not make it in at the time.
>
> Well now that I am cleaning up exec I have made the time to read
> through all of the binfmts and the only playing with file descriptors
> is either the security modules closing them in
> security_bprm_committing_creds or is in the generic code in fs/exec.c.
> None of it happens before begin_new_exec is called.
>
> So move unshare_files into begin_new_exec, after the point of no
> return. If memory is very very very low and the application calling
> exec is sharing file descriptor tables between processes we might fail
> past the point of no return. Which is unfortunate but no different
> than any of the other places where we allocate memory after the point
> of no return.
>
> This movement allows another process that shares the file table, or
> another thread of the same process and that closes files or changes
> their close on exec behavior and races with execve to cause some
> unexpected things to happen. There is only one time of check to time
It seems to only make the already existing race window wider by moving
it from bprm_execve() to begin_new_exec() which isn't great but probably
ok since done for a good reason.
> of use race and it is just there so that execve fails instead of
> an interpreter failing when it tries to open the file it is supposed
> to be interpreting. Failing later if userspace is being silly is
> not a problem.
>
> With this change it the following discription from the removal
> of steal_locks[8] finally becomes true.
>
> Apps using NPTL are not affected, since all other threads are killed before
> execve.
>
> Apps using LinuxThreads are only affected if they
>
> - have multiple threads during exec (LinuxThreads doesn't kill other
> threads, the app may do it with pthread_kill_other_threads_np())
> - rely on POSIX locks being inherited across exec
>
> Both conditions are documented, but not their interaction.
>
> Apps using clone() natively are affected if they
>
> - use clone(CLONE_FILES)
> - rely on POSIX locks being inherited across exec
>
> I have investigated some paths to make it possible to solve this
> without moving unshare_files but they all look more complicated[18].
>
> Reported-by: Daniel P. Berrangé <berrange@redhat.com>
> Reported-by: Jeff Layton <jlayton@redhat.com>
> History-tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
> [1] 02cda956de0b ("[PATCH] unshare_files"
> [2] 04e9bcb4d106 ("[PATCH] use new unshare_files helper")
> [3] 088f5d7244de ("[PATCH] add steal_locks helper")
> [4] 02c541ec8ffa ("[PATCH] use new steal_locks helper")
> [5] https://lkml.kernel.org/r/E1FLIlF-0007zR-00@dorka.pomaz.szeredi.hu
> [6] https://lkml.kernel.org/r/0060321191605.GB15997@sorel.sous-sol.org
> [7] https://lkml.kernel.org/r/E1FLwjC-0000kJ-00@dorka.pomaz.szeredi.hu
> [8] c89681ed7d0e ("[PATCH] remove steal_locks()")
> [9] fd8328be874f ("[PATCH] sanitize handling of shared descriptor tables in failing execve()")
> [10] https://lkml.kernel.org/r/20180317142520.30520-1-jlayton@kernel.org
> [11] https://lkml.kernel.org/r/87r2nwqk73.fsf@xmission.com
> [12] https://lkml.kernel.org/r/87bmfgvg8w.fsf@xmission.com
> [13] https://lkml.kernel.org/r/20180322111424.GE30522@ZenIV.linux.org.uk
> [14] https://lkml.kernel.org/r/20180827174722.3723-1-jlayton@kernel.org
> [15] https://lkml.kernel.org/r/20180830172423.21964-1-jlayton@kernel.org
> [16] https://lkml.kernel.org/r/20180914105310.6454-1-jlayton@kernel.org
> [17] https://lkml.kernel.org/r/87a7ohs5ow.fsf@xmission.com
> [18] https://lkml.kernel.org/r/87pn8c1uj6.fsf_-_@x220.int.ebiederm.org
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> ---
Slightly scary change but it solves a problem.
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
next prev parent reply other threads:[~2020-08-18 10:04 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-17 22:03 exec: Move unshare_files and guarantee files_struct.count is correct Eric W. Biederman
2020-08-17 22:04 ` [PATCH 01/17] exec: Move unshare_files to fix posix file locking during exec Eric W. Biederman
2020-08-18 10:04 ` Christian Brauner [this message]
2020-08-17 22:04 ` [PATCH 02/17] exec: Simplify unshare_files Eric W. Biederman
2020-08-18 10:08 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 03/17] exec: Remove reset_files_struct Eric W. Biederman
2020-08-18 10:09 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 04/17] kcmp: In kcmp_epoll_target use fget_task Eric W. Biederman
2020-08-20 21:45 ` Cyrill Gorcunov
2020-08-17 22:04 ` [PATCH 05/17] bpf: In bpf_task_fd_query " Eric W. Biederman
2020-08-17 22:04 ` [PATCH 06/17] file: Implement fcheck_task Eric W. Biederman
2020-08-18 10:37 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 07/17] proc/fd: In tid_fd_mode use fcheck_task Eric W. Biederman
2020-08-18 10:36 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 08/17] proc/fd: In proc_fd_link " Eric W. Biederman
2020-08-18 10:36 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 09/17] file: Implement fnext_task Eric W. Biederman
2020-08-17 23:54 ` Linus Torvalds
[not found] ` <875z9g7oln.fsf@x220.int.ebiederm.org>
2020-08-18 1:17 ` Linus Torvalds
2020-08-18 11:05 ` Christian Brauner
[not found] ` <87pn7m22kn.fsf@x220.int.ebiederm.org>
2020-08-19 15:54 ` Alexei Starovoitov
[not found] ` <871rk0t45v.fsf@x220.int.ebiederm.org>
2020-08-21 16:17 ` Alexei Starovoitov
2020-08-19 18:32 ` Linus Torvalds
2020-08-20 21:50 ` Cyrill Gorcunov
2020-08-17 22:04 ` [PATCH 10/17] proc/fd: In proc_readfd_common use fnext_task Eric W. Biederman
2020-08-18 2:22 ` Al Viro
[not found] ` <87sgck4o23.fsf@x220.int.ebiederm.org>
2020-08-18 4:59 ` Alexei Starovoitov
2020-08-17 22:04 ` [PATCH 11/17] bpf/task_iter: In task_file_seq_get_next " Eric W. Biederman
2020-08-18 5:39 ` kernel test robot
2020-08-18 5:39 ` kernel test robot
2020-08-18 12:54 ` Eric W. Biederman
2020-08-18 12:54 ` Eric W. Biederman
2020-08-17 22:04 ` [PATCH 12/17] proc/fd: In fdinfo seq_show don't use get_files_struct Eric W. Biederman
2020-08-18 0:08 ` Linus Torvalds
[not found] ` <87v9hg69ph.fsf@x220.int.ebiederm.org>
2020-08-18 1:21 ` Linus Torvalds
2020-08-18 10:43 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 13/17] file: Remove get_files_struct Eric W. Biederman
2020-08-18 10:39 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 14/17] file: Merge __fd_install into fd_install Eric W. Biederman
2020-08-18 10:15 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 15/17] file: In f_dupfd read RLIMIT_NOFILE once Eric W. Biederman
2020-08-18 10:12 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 16/17] file: Merge __alloc_fd into alloc_fd Eric W. Biederman
2020-08-18 10:17 ` Christian Brauner
2020-08-17 22:04 ` [PATCH 17/17] file: Rename __close_fd to close_fd and remove the files parameter Eric W. Biederman
2020-08-18 10:19 ` Christian Brauner
2020-08-18 11:20 ` Christoph Hellwig
2020-08-18 12:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200818100420.akdocgojdjhmq5z6@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=berrange@redhat.com \
--cc=bfields@fieldses.org \
--cc=bpf@vger.kernel.org \
--cc=chrisw@redhat.com \
--cc=criu@openvz.org \
--cc=daniel@iogearbox.net \
--cc=ebiederm@xmission.com \
--cc=gorcunov@gmail.com \
--cc=jann@thejh.net \
--cc=jlayton@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=keescook@chromium.org \
--cc=kpsingh@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthew@wil.cx \
--cc=miklos@szeredi.hu \
--cc=oleg@redhat.com \
--cc=songliubraving@fb.com \
--cc=torvalds@linux-foundation.org \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@debian.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.