From: Bernd Edlinger <bernd.edlinger@hotmail.de>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: Adam Zabrocki <pi3@pi3.com.pl>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, Jann Horn <jannh@google.com>,
Oleg Nesterov <oleg@redhat.com>,
Andy Lutomirski <luto@amacapital.net>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
stable@vger.kernel.org
Subject: Re: [PATCH] signal: Extend exec_id to 64bits
Date: Thu, 2 Apr 2020 09:22:28 +0200 [thread overview]
Message-ID: <AM6PR03MB51701153BF3E55EB4285EADFE4C60@AM6PR03MB5170.eurprd03.prod.outlook.com> (raw)
In-Reply-To: <87zhbvlyq7.fsf_-_@x220.int.ebiederm.org>
On 4/1/20 10:47 PM, Eric W. Biederman wrote:
>
> Replace the 32bit exec_id with a 64bit exec_id to make it impossible
> to wrap the exec_id counter. With care an attacker can cause exec_id
> wrap and send arbitrary signals to a newly exec'd parent. This
> bypasses the signal sending checks if the parent changes their
> credentials during exec.
>
> The severity of this problem can been seen that in my limited testing
> of a 32bit exec_id it can take as little as 19s to exec 65536 times.
> Which means that it can take as little as 14 days to wrap a 32bit
> exec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7
> days. Even my slower timing is in the uptime of a typical server.
> Which means self_exec_id is simply a speed bump today, and if exec
> gets noticably faster self_exec_id won't even be a speed bump.
>
> Extending self_exec_id to 64bits introduces a problem on 32bit
> architectures where reading self_exec_id is no longer atomic and can
> take two read instructions. Which means that is is possible to hit
> a window where the read value of exec_id does not match the written
> value. So with very lucky timing after this change this still
> remains expoiltable.
>
> I have updated the update of exec_id on exec to use WRITE_ONCE
> and the read of exec_id in do_notify_parent to use READ_ONCE
> to make it clear that there is no locking between these two
> locations.
>
> Link: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl
> Fixes: 2.3.23pre2
> Cc: stable@vger.kernel.org
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Thanks
Bernd.
> ---
>
> Linus would you prefer to take this patch directly or I could put it in
> a brach and send you a pull request.
>
> fs/exec.c | 2 +-
> include/linux/sched.h | 4 ++--
> kernel/signal.c | 2 +-
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 0e46ec57fe0a..d55710a36056 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1413,7 +1413,7 @@ void setup_new_exec(struct linux_binprm * bprm)
>
> /* An exec changes our domain. We are no longer part of the thread
> group */
> - current->self_exec_id++;
> + WRITE_ONCE(current->self_exec_id, current->self_exec_id + 1);
> flush_signal_handlers(current, 0);
> }
> EXPORT_SYMBOL(setup_new_exec);
> diff --git a/include/linux/sched.h b/include/linux/sched.h
> index 04278493bf15..0323e4f0982a 100644
> --- a/include/linux/sched.h
> +++ b/include/linux/sched.h
> @@ -939,8 +939,8 @@ struct task_struct {
> struct seccomp seccomp;
>
> /* Thread group tracking: */
> - u32 parent_exec_id;
> - u32 self_exec_id;
> + u64 parent_exec_id;
> + u64 self_exec_id;
>
> /* Protection against (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed, mempolicy: */
> spinlock_t alloc_lock;
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 9ad8dea93dbb..5383b562df85 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1926,7 +1926,7 @@ bool do_notify_parent(struct task_struct *tsk, int sig)
> * This is only possible if parent == real_parent.
> * Check if it has changed security domain.
> */
> - if (tsk->parent_exec_id != tsk->parent->self_exec_id)
> + if (tsk->parent_exec_id != READ_ONCE(tsk->parent->self_exec_id))
> sig = SIGCHLD;
> }
>
>
prev parent reply other threads:[~2020-04-02 7:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 21:50 Curiosity around 'exec_id' and some problems associated with it Adam Zabrocki
2020-03-29 22:43 ` Kees Cook
2020-03-30 8:34 ` Oleg Nesterov
2020-03-31 4:29 ` Adam Zabrocki
2020-04-01 20:47 ` [PATCH] signal: Extend exec_id to 64bits Eric W. Biederman
2020-04-01 20:55 ` Linus Torvalds
2020-04-01 21:03 ` Eric W. Biederman
2020-04-01 23:37 ` Jann Horn
2020-04-01 23:51 ` Linus Torvalds
2020-04-01 23:55 ` Linus Torvalds
2020-04-02 1:35 ` Jann Horn
2020-04-02 2:05 ` Linus Torvalds
2020-04-02 13:11 ` Eric W. Biederman
2020-04-02 18:06 ` Linus Torvalds
2020-04-02 4:46 ` Jann Horn
2020-04-02 14:14 ` Eric W. Biederman
2020-04-03 2:11 ` Adam Zabrocki
2020-04-02 7:19 ` Kees Cook
2020-04-02 7:22 ` Bernd Edlinger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM6PR03MB51701153BF3E55EB4285EADFE4C60@AM6PR03MB5170.eurprd03.prod.outlook.com \
--to=bernd.edlinger@hotmail.de \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=pi3@pi3.com.pl \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).