From: Kees Cook <keescook@chromium.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>, Jann Horn <jannh@google.com>,
Greg Ungerer <gerg@linux-m68k.org>, Rob Landley <rob@landley.net>,
Bernd Edlinger <bernd.edlinger@hotmail.de>,
linux-fsdevel@vger.kernel.org, Al Viro <viro@ZenIV.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH 5/6] exec: Move handling of the point of no return to the top level
Date: Fri, 8 May 2020 22:31:06 -0700 [thread overview]
Message-ID: <202005082228.5C0E44CC6@keescook> (raw)
In-Reply-To: <87y2q25knl.fsf_-_@x220.int.ebiederm.org>
On Fri, May 08, 2020 at 01:47:10PM -0500, Eric W. Biederman wrote:
>
> Move the handing of the point of no return from search_binary_handler
> into __do_execve_file so that it is easier to find, and to keep
> things robust in the face of change.
>
> Make it clear that an existing fatal signal will take precedence over
> a forced SIGSEGV by not forcing SIGSEGV if a fatal signal is already
> pending. This does not change the behavior but it saves a reader
> of the code the tedium of reading and understanding force_sig
> and the signal delivery code.
>
> Update the comment in begin_new_exec about where SIGSEGV is forced.
>
> Keep point_of_no_return from being a mystery by documenting
> what the code is doing where it forces SIGSEGV if the
> code is past the point of no return.
>
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
I had to read the code around these changes a bit carefully, but yeah,
this looks like a safe cleanup. It is a behavioral change, though (in
that in unmasks non-SEGV fatal signals), so I do wonder if something
somewhere might notice this, but I'd agree that it's the more robust
behavior.
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
next prev parent reply other threads:[~2020-05-09 5:31 UTC|newest]
Thread overview: 149+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-05 19:39 exec: Promised cleanups after introducing exec_update_mutex Eric W. Biederman
2020-05-05 19:41 ` [PATCH 1/7] binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf Eric W. Biederman
2020-05-05 20:45 ` Kees Cook
2020-05-06 12:42 ` Greg Ungerer
2020-05-06 12:56 ` Eric W. Biederman
2020-05-05 19:41 ` [PATCH 2/7] exec: Make unlocking exec_update_mutex explict Eric W. Biederman
2020-05-05 20:46 ` Kees Cook
2020-05-05 19:42 ` [PATCH 3/7] exec: Rename the flag called_exec_mmap point_of_no_return Eric W. Biederman
2020-05-05 20:49 ` Kees Cook
2020-05-05 19:43 ` [PATCH 4/7] exec: Merge install_exec_creds into setup_new_exec Eric W. Biederman
2020-05-05 20:50 ` Kees Cook
2020-05-05 19:44 ` [PATCH 5/7] exec: In setup_new_exec cache current in the local variable me Eric W. Biederman
2020-05-05 20:51 ` Kees Cook
2020-05-05 19:45 ` [PATCH 6/7] exec: Move most of setup_new_exec into flush_old_exec Eric W. Biederman
2020-05-05 21:29 ` Kees Cook
2020-05-06 14:57 ` Eric W. Biederman
2020-05-06 15:30 ` Kees Cook
2020-05-07 19:51 ` Eric W. Biederman
2020-05-07 21:51 ` Eric W. Biederman
2020-05-08 5:50 ` Kees Cook
2020-05-05 19:46 ` [PATCH 7/7] exec: Rename flush_old_exec begin_new_exec Eric W. Biederman
2020-05-05 21:30 ` Kees Cook
2020-05-06 12:41 ` exec: Promised cleanups after introducing exec_update_mutex Greg Ungerer
2020-05-08 18:43 ` [PATCH 0/6] exec: Trivial cleanups for exec Eric W. Biederman
2020-05-08 18:44 ` [PATCH 1/6] exec: Move the comment from above de_thread to above unshare_sighand Eric W. Biederman
2020-05-09 5:02 ` Kees Cook
2020-05-08 18:44 ` [PATCH 2/6] exec: Fix spelling of search_binary_handler in a comment Eric W. Biederman
2020-05-09 5:03 ` Kees Cook
2020-05-08 18:45 ` [PATCH 3/6] exec: Stop open coding mutex_lock_killable of cred_guard_mutex Eric W. Biederman
2020-05-09 5:08 ` Kees Cook
2020-05-09 19:18 ` Linus Torvalds
2020-05-09 19:57 ` Eric W. Biederman
2020-05-10 20:33 ` Kees Cook
2020-05-08 18:45 ` [PATCH 4/6] exec: Run sync_mm_rss before taking exec_update_mutex Eric W. Biederman
2020-05-09 5:15 ` Kees Cook
2020-05-09 14:17 ` Eric W. Biederman
2020-05-08 18:47 ` [PATCH 5/6] exec: Move handling of the point of no return to the top level Eric W. Biederman
2020-05-09 5:31 ` Kees Cook [this message]
2020-05-09 13:39 ` Eric W. Biederman
2020-05-08 18:48 ` [PATCH 6/6] exec: Set the point of no return sooner Eric W. Biederman
2020-05-09 5:33 ` Kees Cook
2020-05-09 19:40 ` [PATCH 0/5] exec: Control flow simplifications Eric W. Biederman
2020-05-09 19:40 ` [PATCH 1/5] exec: Call cap_bprm_set_creds directly from prepare_binprm Eric W. Biederman
2020-05-09 20:04 ` Linus Torvalds
2020-05-09 19:41 ` [PATCH 2/5] exec: Directly call security_bprm_set_creds from __do_execve_file Eric W. Biederman
2020-05-09 20:07 ` Linus Torvalds
2020-05-09 20:12 ` Eric W. Biederman
2020-05-09 20:19 ` Linus Torvalds
2020-05-11 3:15 ` Kees Cook
2020-05-11 16:52 ` Eric W. Biederman
2020-05-11 21:18 ` Kees Cook
2020-05-09 19:41 ` [PATCH 3/5] exec: Remove recursion from search_binary_handler Eric W. Biederman
2020-05-09 20:16 ` Linus Torvalds
2020-05-10 4:22 ` Tetsuo Handa
2020-05-10 19:38 ` Linus Torvalds
2020-05-11 14:33 ` Eric W. Biederman
2020-05-11 19:10 ` Rob Landley
2020-05-13 21:59 ` Eric W. Biederman
2020-05-14 18:46 ` Rob Landley
2020-05-11 21:55 ` Kees Cook
2020-05-12 18:42 ` Eric W. Biederman
2020-05-12 19:25 ` Kees Cook
2020-05-12 20:31 ` Eric W. Biederman
2020-05-12 23:08 ` Kees Cook
2020-05-12 23:47 ` Kees Cook
2020-05-12 23:51 ` Kees Cook
2020-05-14 14:56 ` Eric W. Biederman
2020-05-14 16:56 ` Casey Schaufler
2020-05-14 17:02 ` Eric W. Biederman
2020-05-13 0:20 ` Linus Torvalds
2020-05-13 2:39 ` Rob Landley
2020-05-13 19:51 ` Linus Torvalds
2020-05-14 16:49 ` Eric W. Biederman
2020-05-09 19:42 ` [PATCH 4/5] exec: Allow load_misc_binary to call prepare_binfmt unconditionally Eric W. Biederman
2020-05-11 22:09 ` Kees Cook
2020-05-09 19:42 ` [PATCH 5/5] exec: Move the call of prepare_binprm into search_binary_handler Eric W. Biederman
2020-05-11 22:24 ` Kees Cook
2020-05-19 0:29 ` [PATCH v2 0/8] exec: Control flow simplifications Eric W. Biederman
2020-05-19 0:29 ` [PATCH v2 1/8] exec: Teach prepare_exec_creds how exec treats uids & gids Eric W. Biederman
2020-05-19 18:03 ` Kees Cook
2020-05-19 18:28 ` Linus Torvalds
2020-05-19 18:57 ` Eric W. Biederman
2020-05-19 0:30 ` [PATCH v2 2/8] exec: Factor security_bprm_creds_for_exec out of security_bprm_set_creds Eric W. Biederman
2020-05-19 15:34 ` Casey Schaufler
2020-05-19 18:10 ` Kees Cook
2020-05-19 21:28 ` James Morris
2020-05-19 0:31 ` [PATCH v2 3/8] exec: Convert security_bprm_set_creds into security_bprm_repopulate_creds Eric W. Biederman
2020-05-19 18:21 ` Kees Cook
2020-05-19 19:03 ` Eric W. Biederman
2020-05-19 19:14 ` Kees Cook
2020-05-20 20:22 ` Eric W. Biederman
2020-05-20 20:53 ` Kees Cook
2020-05-19 21:52 ` James Morris
2020-05-20 12:40 ` Eric W. Biederman
2020-05-19 0:31 ` [PATCH v2 4/8] exec: Allow load_misc_binary to call prepare_binfmt unconditionally Eric W. Biederman
2020-05-19 18:27 ` Kees Cook
2020-05-19 19:08 ` Eric W. Biederman
2020-05-19 19:17 ` Kees Cook
2020-05-19 0:32 ` [PATCH v2 5/8] exec: Move the call of prepare_binprm into search_binary_handler Eric W. Biederman
2020-05-19 18:27 ` Kees Cook
2020-05-19 21:30 ` James Morris
2020-05-19 0:33 ` [PATCH v2 6/8] exec/binfmt_script: Don't modify bprm->buf and then return -ENOEXEC Eric W. Biederman
2020-05-19 19:08 ` Kees Cook
2020-05-19 19:19 ` Eric W. Biederman
2020-05-19 0:33 ` [PATCH v2 7/8] exec: Generic execfd support Eric W. Biederman
2020-05-19 19:46 ` Kees Cook
2020-05-19 19:54 ` Linus Torvalds
2020-05-19 20:20 ` Eric W. Biederman
2020-05-19 21:59 ` Rob Landley
2020-05-20 16:05 ` Eric W. Biederman
2020-05-21 22:50 ` Rob Landley
2020-05-22 3:28 ` Eric W. Biederman
2020-05-22 4:51 ` Rob Landley
2020-05-22 13:35 ` Eric W. Biederman
2020-05-19 0:34 ` [PATCH v2 8/8] exec: Remove recursion from search_binary_handler Eric W. Biederman
2020-05-19 20:37 ` Kees Cook
2020-05-19 1:25 ` [PATCH v2 0/8] exec: Control flow simplifications Linus Torvalds
2020-05-19 21:55 ` Kees Cook
2020-05-20 13:02 ` Eric W. Biederman
2020-05-20 22:12 ` Eric W. Biederman
2020-05-20 23:43 ` Kees Cook
2020-05-21 11:53 ` Eric W. Biederman
2020-05-28 15:38 ` [PATCH 0/11] exec: cred calculation simplifications Eric W. Biederman
2020-05-28 15:41 ` [PATCH 01/11] exec: Reduce bprm->per_clear to a single bit Eric W. Biederman
2020-05-28 19:04 ` Linus Torvalds
2020-05-28 19:17 ` Eric W. Biederman
2020-05-28 15:42 ` [PATCH 02/11] exec: Introduce active_per_clear the per file version of per_clear Eric W. Biederman
2020-05-28 19:05 ` Linus Torvalds
2020-05-28 15:42 ` [PATCH 03/11] exec: Compute file based creds only once Eric W. Biederman
2020-05-28 15:43 ` [PATCH 04/11] exec: Move uid/gid handling from creds_from_file into bprm_fill_uid Eric W. Biederman
2020-05-28 15:44 ` Eric W. Biederman
2020-05-28 15:44 ` [PATCH 05/11] exec: In bprm_fill_uid use CAP_SETGID to see if a gid change is safe Eric W. Biederman
2020-05-28 15:48 ` [PATCH 06/11] exec: Don't set secureexec when the uid or gid changes are abandoned Eric W. Biederman
2020-05-28 15:48 ` [PATCH 07/11] exec: Set saved, fs, and effective ids together in bprm_fill_uid Eric W. Biederman
2020-05-28 15:49 ` [PATCH 08/11] exec: In bprm_fill_uid remove unnecessary no new privs check Eric W. Biederman
2020-05-28 15:49 ` [PATCH 09/11] exec: In bprm_fill_uid only set per_clear when honoring suid or sgid Eric W. Biederman
2020-05-28 19:08 ` Linus Torvalds
2020-05-28 19:21 ` Eric W. Biederman
2020-05-28 15:50 ` [PATCH 10/11] exec: In bprm_fill_uid set secureexec at same time as per_clear Eric W. Biederman
2020-05-28 15:50 ` [PATCH 11/11] exec: Remove the label after_setid from bprm_fill_uid Eric W. Biederman
2020-05-29 16:45 ` [PATCH 0/2] exec: Remove the computation of bprm->cred Eric W. Biederman
2020-05-29 16:46 ` [PATCH 1/2] exec: Add a per bprm->file version of per_clear Eric W. Biederman
2020-05-29 21:06 ` Kees Cook
2020-05-30 3:23 ` Eric W. Biederman
2020-05-30 5:14 ` Kees Cook
2020-05-29 16:47 ` [PATCH 2/2] exec: Compute file based creds only once Eric W. Biederman
2020-05-29 21:24 ` Kees Cook
2020-05-30 3:28 ` Eric W. Biederman
2020-05-30 5:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202005082228.5C0E44CC6@keescook \
--to=keescook@chromium.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bernd.edlinger@hotmail.de \
--cc=ebiederm@xmission.com \
--cc=gerg@linux-m68k.org \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=rob@landley.net \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.