From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753835AbcG3U2k (ORCPT ); Sat, 30 Jul 2016 16:28:40 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34202 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752819AbcG3U2c (ORCPT ); Sat, 30 Jul 2016 16:28:32 -0400 Date: Sat, 30 Jul 2016 22:28:22 +0200 From: Mateusz Guzik To: "Eric W. Biederman" Cc: Cyrill Gorcunov , Stanislav Kinsburskiy , peterz@infradead.org, mingo@redhat.com, mhocko@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, bsegall@google.com, john.stultz@linaro.org, oleg@redhat.com, matthltc@us.ibm.com, akpm@linux-foundation.org, luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com, Richard Guy Briggs Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link Message-ID: <20160730202821.7ojhciviocjfnw7p@mguzik> References: <20160712152940.24895.61315.stgit@localhost.localdomain> <8a863273-c571-63d6-c0c3-637dff5645a3@virtuozzo.com> <87y44pbmtc.fsf@x220.int.ebiederm.org> <20160725192242.GA26208@uranus> <87a8h58pac.fsf@x220.int.ebiederm.org> <20160726083445.GB26208@uranus> <87y44j6nib.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87y44j6nib.fsf@x220.int.ebiederm.org> User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Sat, 30 Jul 2016 20:28:31 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote: > So what I am requesting is very simple. That the checks in > prctl_set_mm_exe_file be tightened up to more closely approach what > execve requires. Thus preserving the value of the /proc/[pid]/exe for > the applications that want to use the exe link. > > Once the checks in prctl_set_mm_exe_file are tightened up please feel > free to remove the one shot test. > This is more fishy. First of all exe_file is used by the audit subsystem. So someone has to ask audit people what is the significance (if any) of the field. All exe_file users but one use get_mm_exe_file and handle NULL gracefully. Even with the current limit of changing the field once, the user can cause a transient failure of get_mm_exe_file which can fail to increment the refcount before it drops to 0. This transient failure can be used to get a NULL value stored in ->exe_file during fork (in dup_mmap): RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm)); The one place which is not using get_mm_exe_file to get to the pointer is audit_exe_compare: rcu_read_lock(); exe_file = rcu_dereference(tsk->mm->exe_file); ino = exe_file->f_inode->i_ino; dev = exe_file->f_inode->i_sb->s_dev; rcu_read_unlock(); This is buggy on 2 accounts: 1. exe_file can be NULL 2. rcu does not protect f_inode The issue is made worse with allowing arbitrary number changes. Modifying get_mm_exe_file to retry is trivial and in effect never return NULL is trivial. With arbitrary number of changes allowed this may require some cond_resched() or something. For comments I cc'ed Richard Guy Briggs, who is both an audit person and the author of audit_exe_compare. -- Mateusz Guzik