From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0E44C432C3 for ; Thu, 28 Nov 2019 19:19:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A8AAA20880 for ; Thu, 28 Nov 2019 19:19:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="F8QNZvQZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727008AbfK1TT1 (ORCPT ); Thu, 28 Nov 2019 14:19:27 -0500 Received: from mail-oi1-f194.google.com ([209.85.167.194]:35188 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726648AbfK1TT1 (ORCPT ); Thu, 28 Nov 2019 14:19:27 -0500 Received: by mail-oi1-f194.google.com with SMTP id k196so7747968oib.2 for ; Thu, 28 Nov 2019 11:19:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sa7Qo9GWk7jIcVb/UqPiStHbvEoHinr+Eez2kcCOf1c=; b=F8QNZvQZFDC4R29kvG1rBgKm1kpx6PZbsIqFU0WaDGkxK0KPMas53EVmUrCxZEWKu+ TyLjB1Ji+sFJdqf10OEg/Jozf5L3+00M4S1V7iG1JEs3oz9wCN28WolNCGBvlMTdIfFE bCJSycpiYuwAopQg9Lp7fG1kSZUha7EtNo2xhBUGQxHctbro13ju+XhNyk2oV0lydZPA 7tAjfzfqTCfQ8IlhZZ5l5iKkHtTTOt3RdXbCxk14A3d3bohxQt8+j1GpA3cJOQ0/5B1z fRu4mh07clHKxnURShciN+a3Sjz8/CkJmxPsT2gWtE03/BSgjSI3V1fToG8TUdB/kN8q mkWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sa7Qo9GWk7jIcVb/UqPiStHbvEoHinr+Eez2kcCOf1c=; b=c7O5Bb+3Fp5XpFYhogBbzu18YFXaJWo2hjfOWVDONM+Iqiefrtcv6nRNy/FuEeDagV NBYTAd31DXJIk0oAzPhXHFJoxsCT8iSDKkQ+6NVaSbUj51MoHGeWYoxamOQu/7GCg3Op Ax+SwfQ+N/ZbxB/mFlMSqAkvAJcTrao9vljV3ZniXGHn9chZgYc43r5TVQvTdC32XVJf yVNH4ji9gyUrd0UVDFBqIVh+2lMtcAZCzExoVze8mKTdhjvn83RDjt8fAA61Ki7nVdyh JBhc6qr2dBXQT1wWSLIkuVKYrsQjay2xwySkVVV/cOpe5YbzOC3Ogzc11juFauDbYYxC grew== X-Gm-Message-State: APjAAAV54fhYJwTAl7Ya5C1GLsUcWQ/XS9NM0T+XQq/j7/vV2m8eBF7U ElJ8q2ipeudx65eMIxf+YZiYYKIwydYwk9iwZe28Cw== X-Google-Smtp-Source: APXvYqzumrng90jkIfbBLU7fDZd/qU3JI2V43WqgFg86Aeyg+t0BewnS9HPGkbBeXtjVOMeJs9BXjig5wfJCdgaE2LI= X-Received: by 2002:aca:ccd1:: with SMTP id c200mr9810023oig.157.1574968766126; Thu, 28 Nov 2019 11:19:26 -0800 (PST) MIME-Version: 1.0 References: <254505c9-2b76-ebeb-306c-02aaf1704b88@kernel.dk> <1d3a458a-fa79-5e33-b5ce-b473122f6d1a@kernel.dk> In-Reply-To: From: Jann Horn Date: Thu, 28 Nov 2019 20:18:55 +0100 Message-ID: Subject: Re: [PATCH RFC] signalfd: add support for SFD_TASK To: Rasmus Villemoes Cc: Jens Axboe , io-uring , "linux-kernel@vger.kernel.org" , linux-fsdevel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 28, 2019 at 11:07 AM Jann Horn wrote: > On Thu, Nov 28, 2019 at 10:02 AM Rasmus Villemoes > wrote: > > On 28/11/2019 00.27, Jann Horn wrote: > > > > > One more thing, though: We'll have to figure out some way to > > > invalidate the fd when the target goes through execve(), in particular > > > if it's a setuid execution. Otherwise we'll be able to just steal > > > signals that were intended for the other task, that's probably not > > > good. > > > > > > So we should: > > > a) prevent using ->wait() on an old signalfd once the task has gone > > > through execve() > > > b) kick off all existing waiters > > > c) most importantly, prevent ->read() on an old signalfd once the > > > task has gone through execve() > > > > > > We probably want to avoid using the cred_guard_mutex here, since it is > > > quite broad and has some deadlocking issues; it might make sense to > > > put the update of ->self_exec_id in fs/exec.c under something like the > > > siglock, > > > > What prevents one from exec'ing a trivial helper 2^32-1 times before > > exec'ing into the victim binary? > > Uh, yeah... that thing should probably become 64 bits wide, too. Actually, that'd still be wrong even with the existing kernel code for two reasons: - if you reparent to a subreaper, the existing exec_id comparison breaks - the new check here is going to break if a non-leader thread goes through execve(), because of the weird magic where the thread going through execve steals the thread id (PID) of the leader I'm gone for the day, but will try to dust off the years-old patch for this that I have lying around somewhere tomorrow. I should probably send it through akpm's tree with cc stable, given that this is already kinda broken in existing releases...