From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28E54C432C0 for ; Thu, 28 Nov 2019 19:19:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F0E9720880 for ; Thu, 28 Nov 2019 19:19:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="F8QNZvQZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726681AbfK1TT1 (ORCPT ); Thu, 28 Nov 2019 14:19:27 -0500 Received: from mail-oi1-f193.google.com ([209.85.167.193]:39869 "EHLO mail-oi1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726633AbfK1TT1 (ORCPT ); Thu, 28 Nov 2019 14:19:27 -0500 Received: by mail-oi1-f193.google.com with SMTP id a67so5343431oib.6 for ; Thu, 28 Nov 2019 11:19:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sa7Qo9GWk7jIcVb/UqPiStHbvEoHinr+Eez2kcCOf1c=; b=F8QNZvQZFDC4R29kvG1rBgKm1kpx6PZbsIqFU0WaDGkxK0KPMas53EVmUrCxZEWKu+ TyLjB1Ji+sFJdqf10OEg/Jozf5L3+00M4S1V7iG1JEs3oz9wCN28WolNCGBvlMTdIfFE bCJSycpiYuwAopQg9Lp7fG1kSZUha7EtNo2xhBUGQxHctbro13ju+XhNyk2oV0lydZPA 7tAjfzfqTCfQ8IlhZZ5l5iKkHtTTOt3RdXbCxk14A3d3bohxQt8+j1GpA3cJOQ0/5B1z fRu4mh07clHKxnURShciN+a3Sjz8/CkJmxPsT2gWtE03/BSgjSI3V1fToG8TUdB/kN8q mkWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sa7Qo9GWk7jIcVb/UqPiStHbvEoHinr+Eez2kcCOf1c=; b=fo5in90JNNbA1SBxmhJZcAZlK68Xn3ORm1/lknsQBvWguX9C4SKpBvmYDxYVMsPen1 YHSbfKdPYNh5HKjQvO9QfrND3j+a7nC2LXwHC4hpTpZxBP7CqzHmSEAJReFY5BXr38qs X3jkH4kcDPn0R114DJWxLR9YK5ySNBc3LDKTBxlnxnfzaVz20xACWtbOCid1fU3LUdRA CFNEs2hI1uS/IY22LFZmzZ09OvVeJ7kpsxd5ZACogrv7bX6jK2yTUMyHOcmurFX17JVr GC3UeLqjjIwO9dqlRNFyBjUB6Knpzl11sqrgUmuPnK9oYlT/1leFb9001sa0kCeP1/N1 nDFg== X-Gm-Message-State: APjAAAUAeR5ttLFXpaBD6sToBsbnAwIpYSjJga4Dn7yMdD/DzK43idSJ EkKV7jYTWDfcdNTc3A82Fzg/Ws3a/DeQvktBMjB0ysEFpSs= X-Google-Smtp-Source: APXvYqzumrng90jkIfbBLU7fDZd/qU3JI2V43WqgFg86Aeyg+t0BewnS9HPGkbBeXtjVOMeJs9BXjig5wfJCdgaE2LI= X-Received: by 2002:aca:ccd1:: with SMTP id c200mr9810023oig.157.1574968766126; Thu, 28 Nov 2019 11:19:26 -0800 (PST) MIME-Version: 1.0 References: <254505c9-2b76-ebeb-306c-02aaf1704b88@kernel.dk> <1d3a458a-fa79-5e33-b5ce-b473122f6d1a@kernel.dk> In-Reply-To: From: Jann Horn Date: Thu, 28 Nov 2019 20:18:55 +0100 Message-ID: Subject: Re: [PATCH RFC] signalfd: add support for SFD_TASK To: Rasmus Villemoes Cc: Jens Axboe , io-uring , "linux-kernel@vger.kernel.org" , linux-fsdevel Content-Type: text/plain; charset="UTF-8" Sender: io-uring-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org On Thu, Nov 28, 2019 at 11:07 AM Jann Horn wrote: > On Thu, Nov 28, 2019 at 10:02 AM Rasmus Villemoes > wrote: > > On 28/11/2019 00.27, Jann Horn wrote: > > > > > One more thing, though: We'll have to figure out some way to > > > invalidate the fd when the target goes through execve(), in particular > > > if it's a setuid execution. Otherwise we'll be able to just steal > > > signals that were intended for the other task, that's probably not > > > good. > > > > > > So we should: > > > a) prevent using ->wait() on an old signalfd once the task has gone > > > through execve() > > > b) kick off all existing waiters > > > c) most importantly, prevent ->read() on an old signalfd once the > > > task has gone through execve() > > > > > > We probably want to avoid using the cred_guard_mutex here, since it is > > > quite broad and has some deadlocking issues; it might make sense to > > > put the update of ->self_exec_id in fs/exec.c under something like the > > > siglock, > > > > What prevents one from exec'ing a trivial helper 2^32-1 times before > > exec'ing into the victim binary? > > Uh, yeah... that thing should probably become 64 bits wide, too. Actually, that'd still be wrong even with the existing kernel code for two reasons: - if you reparent to a subreaper, the existing exec_id comparison breaks - the new check here is going to break if a non-leader thread goes through execve(), because of the weird magic where the thread going through execve steals the thread id (PID) of the leader I'm gone for the day, but will try to dust off the years-old patch for this that I have lying around somewhere tomorrow. I should probably send it through akpm's tree with cc stable, given that this is already kinda broken in existing releases...