From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from thejh.net ([37.221.195.125]:46443 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754189AbcIRSbm (ORCPT ); Sun, 18 Sep 2016 14:31:42 -0400 Date: Sun, 18 Sep 2016 20:31:37 +0200 From: Jann Horn To: Ben Hutchings Cc: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: Re: [PATCH 2/9] exec: turn self_exec_id into self_privunit_id Message-ID: <20160918183137.GA17170@pc.thejh.net> References: <1474211117-16674-1-git-send-email-jann@thejh.net> <1474211117-16674-3-git-send-email-jann@thejh.net> <1474222407.2428.2.camel@decadent.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline In-Reply-To: <1474222407.2428.2.camel@decadent.org.uk> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 18, 2016 at 07:13:27PM +0100, Ben Hutchings wrote: > On Sun, 2016-09-18 at 17:05 +0200, Jann Horn wrote: > > This ensures that self_privunit_id ("privilege unit ID") is only shared= by > > processes that share the mm_struct and the signal_struct; not just > > spatially, but also temporally. In other words, if you do execve() or > > clone() without CLONE_THREAD, you get a new privunit_id that has never = been > > used before. > [...] > > +void increment_privunit_counter(void) > > +{ > > + BUILD_BUG_ON(NR_CPUS > (1 << 16)); > > + current->self_privunit_id =3D this_cpu_add_return(exec_counter, NR_CP= US); > > +} > [...] >=20 > This will wrap incorrectly if NR_CPUS is not a power of 2 (which is > unusual but allowed). If this wraps, hell breaks loose permission-wise - processes that have no relationship whatsoever with each other will suddenly be able to ptrace each other. The idea is that it never wraps. It wraps after (2^64)/NR_CPUS execs or forks on one CPU core. NR_CPUS is bounded to <=3D2^16, so in the worst case, it wraps after 2^48 execs or forks. On my system with 3.7GHz per core, 2^16 minimal sequential non-thread clone= () calls need 1 second system time (and 2 seconds wall clock time, but let's disregard that), so 2^48 non-thread clone() calls should need over 100 year= s. But I guess both the kernel and machines get faster - if you think the marg= in might not be future-proof enough (or if you think I measured wrong and it's actually much faster), I guess I could bump this to a 128bit number. --SUOF0GtieIMvvwua Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJX3t2JAAoJED4KNFJOeCOor3kQAK0yldktoTAdFX+D9PpkdKiB yAiKrQBTx+ZIT6Sp5gFyL49F/NmZVY6YUN38qI0S086dg1rFemJGxflDyOU7Mkyo aYIWp9kum2kQ81/v/njLN52cEb+WlA2ap7sdZ/7eZL8NDa4Tho+dlqnXWNIDsIsn yHszigfIhuyy7O/l7jhTHoaH7RPb44seKCZO2ebMJ6LvrSpDcDrCPFXfO+sa8pr2 E6mGbdY+fjXa/LS6ob8i1LwQpbmMVAJv4cz7lYsrw9v02ABj8AumLccIR0tHwcNk ujSK6dNNv63nSWgbgXX9JpRn/eSm7OLCcqJhmnPYQg9b90/4y1FcGhdAtbx8y8oA UINBcoyvVg047zGHWexSK9as+ZJuBhzrRE5eD/AyoxS5Ox7BUZoPFU3aISlqRYO2 5PkiQvs3hpavmvkUQf1rbIwc/Kj/jeuIds1OFk15CWmMpSiZGU85JdOFaq4W1p5Z CKsJr+JZgpnS5cnbxWf/OQcrw0gbcZDZZQXrJ4/OR7sTpXgR/mZIhh5fbzzpY5u5 Sl+2KnL76XzAbyz8Q3r8Z+hVygQv+8lVs3hkc2SD5Y3AMMG22vdpK+4NOUohy0r0 H3xMLhmPL5y2tqhvefmw6EWROx3cd12iAMBZZZkW1ux/j22vdvZJxMzuWYW4g2uE xnzrijDWn+VOg8aBPacH =iw2V -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua--