From: ebiederm@xmission.com (Eric W. Biederman)
To: Mateusz Guzik <mguzik@redhat.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>,
Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>,
peterz@infradead.org, mingo@redhat.com, mhocko@suse.com,
keescook@chromium.org, linux-kernel@vger.kernel.org,
bsegall@google.com, john.stultz@linaro.org, oleg@redhat.com,
matthltc@us.ibm.com, akpm@linux-foundation.org,
luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link
Date: Sun, 31 Jul 2016 13:45:09 -0500 [thread overview]
Message-ID: <87vazlzlxm.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20160730202821.7ojhciviocjfnw7p@mguzik> (Mateusz Guzik's message of "Sat, 30 Jul 2016 22:28:22 +0200")
Mateusz Guzik <mguzik@redhat.com> writes:
> On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote:
>> So what I am requesting is very simple. That the checks in
>> prctl_set_mm_exe_file be tightened up to more closely approach what
>> execve requires. Thus preserving the value of the /proc/[pid]/exe for
>> the applications that want to use the exe link.
>>
>> Once the checks in prctl_set_mm_exe_file are tightened up please feel
>> free to remove the one shot test.
>>
>
> This is more fishy.
>
> First of all exe_file is used by the audit subsystem. So someone has to
> ask audit people what is the significance (if any) of the field.
>
> All exe_file users but one use get_mm_exe_file and handle NULL
> gracefully.
>
> Even with the current limit of changing the field once, the user can
> cause a transient failure of get_mm_exe_file which can fail to increment
> the refcount before it drops to 0.
>
> This transient failure can be used to get a NULL value stored in
> ->exe_file during fork (in dup_mmap):
> RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
>
> The one place which is not using get_mm_exe_file to get to the pointer
> is audit_exe_compare:
> rcu_read_lock();
> exe_file = rcu_dereference(tsk->mm->exe_file);
> ino = exe_file->f_inode->i_ino;
> dev = exe_file->f_inode->i_sb->s_dev;
> rcu_read_unlock();
>
> This is buggy on 2 accounts:
> 1. exe_file can be NULL
> 2. rcu does not protect f_inode
>
> The issue is made worse with allowing arbitrary number changes.
>
> Modifying get_mm_exe_file to retry is trivial and in effect never return
> NULL is trivial. With arbitrary number of changes allowed this may
> require some cond_resched() or something.
>
> For comments I cc'ed Richard Guy Briggs, who is both an audit person and
> the author of audit_exe_compare.
That is fair. Keeping the existing users working is what needs to
happen.
At the same time we have an arbitrary number of possible changes with
exec, but I guess that works differently because the mm is changed as
well.
So yes let's bug fix this piece of code and then we can see about
relaxing constraints.
Eric
next prev parent reply other threads:[~2016-07-31 18:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-12 15:30 [PATCH] prctl: remove one-shot limitation for changing exe link Stanislav Kinsburskiy
2016-07-12 16:42 ` Oleg Nesterov
2016-07-12 16:52 ` Stanislav Kinsburskiy
2016-07-12 17:01 ` Oleg Nesterov
2016-07-12 16:48 ` Cyrill Gorcunov
2016-07-12 16:52 ` Eric W. Biederman
2016-07-12 17:29 ` Cyrill Gorcunov
2016-07-12 21:42 ` Cyrill Gorcunov
2016-07-13 10:47 ` Stanislav Kinsburskiy
2016-07-18 20:11 ` One Thousand Gnomes
2016-07-20 11:30 ` Stanislav Kinsburskiy
[not found] ` <8a863273-c571-63d6-c0c3-637dff5645a3@virtuozzo.com>
2016-07-25 18:21 ` Eric W. Biederman
2016-07-25 19:22 ` Cyrill Gorcunov
2016-07-25 19:56 ` Eric W. Biederman
2016-07-26 8:34 ` Cyrill Gorcunov
2016-07-30 17:31 ` Eric W. Biederman
2016-07-30 20:28 ` Mateusz Guzik
2016-07-31 18:45 ` Eric W. Biederman
2016-07-31 18:45 ` Eric W. Biederman [this message]
2016-08-22 15:40 ` Richard Guy Briggs
2016-07-31 22:43 ` Cyrill Gorcunov
2016-07-31 22:49 ` Andy Lutomirski
2016-08-01 9:04 ` Cyrill Gorcunov
2016-08-10 10:48 ` Stanislav Kinsburskiy
2016-07-26 10:21 ` Stanislav Kinsburskiy
2016-07-12 15:42 Stanislav Kinsburskiy
[not found] <1d254efe-5410-40c4-af4b-9e898682d0b3@email.android.com>
2016-07-13 10:15 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vazlzlxm.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=bsegall@google.com \
--cc=gorcunov@gmail.com \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=matthltc@us.ibm.com \
--cc=mguzik@redhat.com \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=rgb@redhat.com \
--cc=skinsbursky@virtuozzo.com \
--cc=vbabka@suse.cz \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.