From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11405C3F2CD for ; Tue, 3 Mar 2020 08:58:34 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id C957720842 for ; Tue, 3 Mar 2020 08:58:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C957720842 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ubuntu.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 749C36B000C; Tue, 3 Mar 2020 03:58:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6F9DF6B000D; Tue, 3 Mar 2020 03:58:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5E8CF6B000E; Tue, 3 Mar 2020 03:58:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0051.hostedemail.com [216.40.44.51]) by kanga.kvack.org (Postfix) with ESMTP id 47ABF6B000C for ; Tue, 3 Mar 2020 03:58:33 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id EECCC180AD804 for ; Tue, 3 Mar 2020 08:58:32 +0000 (UTC) X-FDA: 76553450106.29.light95_84cdbf7b69450 X-HE-Tag: light95_84cdbf7b69450 X-Filterd-Recvd-Size: 6631 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by imf28.hostedemail.com (Postfix) with ESMTP for ; Tue, 3 Mar 2020 08:58:32 +0000 (UTC) Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j93NM-0006xr-6q; Tue, 03 Mar 2020 08:58:04 +0000 Date: Tue, 3 Mar 2020 09:58:02 +0100 From: Christian Brauner To: Kees Cook Cc: Bernd Edlinger , "Eric W. Biederman" , Jann Horn , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" Subject: Re: [PATCHv4] exec: Fix a deadlock in ptrace Message-ID: <20200303085802.eqn6jbhwxtmz4j2x@wittgenstein> References: <87a74zmfc9.fsf@x220.int.ebiederm.org> <87k142lpfz.fsf@x220.int.ebiederm.org> <875zfmloir.fsf@x220.int.ebiederm.org> <87v9nmjulm.fsf@x220.int.ebiederm.org> <202003021531.C77EF10@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <202003021531.C77EF10@keescook> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Mar 02, 2020 at 06:26:47PM -0800, Kees Cook wrote: > On Mon, Mar 02, 2020 at 10:18:07PM +0000, Bernd Edlinger wrote: > > This fixes a deadlock in the tracer when tracing a multi-threaded > > application that calls execve while more than one thread are running. > > > > I observed that when running strace on the gcc test suite, it always > > blocks after a while, when expect calls execve, because other threads > > have to be terminated. They send ptrace events, but the strace is no > > longer able to respond, since it is blocked in vm_access. > > > > The deadlock is always happening when strace needs to access the > > tracees process mmap, while another thread in the tracee starts to > > execve a child process, but that cannot continue until the > > PTRACE_EVENT_EXIT is handled and the WIFEXITED event is received: > > > > strace D 0 30614 30584 0x00000000 > > Call Trace: > > __schedule+0x3ce/0x6e0 > > schedule+0x5c/0xd0 > > schedule_preempt_disabled+0x15/0x20 > > __mutex_lock.isra.13+0x1ec/0x520 > > __mutex_lock_killable_slowpath+0x13/0x20 > > mutex_lock_killable+0x28/0x30 > > mm_access+0x27/0xa0 > > process_vm_rw_core.isra.3+0xff/0x550 > > process_vm_rw+0xdd/0xf0 > > __x64_sys_process_vm_readv+0x31/0x40 > > do_syscall_64+0x64/0x220 > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > expect D 0 31933 30876 0x80004003 > > Call Trace: > > __schedule+0x3ce/0x6e0 > > schedule+0x5c/0xd0 > > flush_old_exec+0xc4/0x770 > > load_elf_binary+0x35a/0x16c0 > > search_binary_handler+0x97/0x1d0 > > __do_execve_file.isra.40+0x5d4/0x8a0 > > __x64_sys_execve+0x49/0x60 > > do_syscall_64+0x64/0x220 > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > The proposed solution is to take the cred_guard_mutex only > > in a critical section at the beginning, and at the end of the > > execve function, and let PTRACE_ATTACH fail with EAGAIN while > > execve is not complete, but other functions like vm_access are > > allowed to complete normally. > > Sorry to be bummer, but I don't think this will work. A few more things > during the exec process depend on cred_guard_mutex being held. > > If I'm reading this patch correctly, this changes the lifetime of the > cred_guard_mutex lock to be: > - during prepare_bprm_creds() > - from flush_old_exec() through install_exec_creds() > Before, cred_guard_mutex was held from prepare_bprm_creds() through > install_exec_creds(). > > That means, for example, that check_unsafe_exec()'s documented invariant > is violated: > /* > * determine how safe it is to execute the proposed program > * - the caller must hold ->cred_guard_mutex to protect against > * PTRACE_ATTACH or seccomp thread-sync > */ > static void check_unsafe_exec(struct linux_binprm *bprm) ... > which is looking at no_new_privs as well as other details, and making > decisions about the bprm state from the current state. > > I think it also means that the potentially multiple invocations > of bprm_fill_uid() (via prepare_binprm() via binfmt_script.c and > binfmt_misc.c) would be changing bprm->cred details (uid, gid) without > a lock (another place where current's no_new_privs is evaluated). > > Related, it also means that cred_guard_mutex is unheld for every > invocation of search_binary_handler() (which can loop via the previously > mentioned binfmt_script.c and binfmt_misc.c), if any of them have hidden > dependencies on cred_guard_mutex. (Thought I only see bprm_fill_uid() > currently.) So one issue I see with having to reacquire the cred_guard_mutex might be that this would allow tasks holding the cred_guard_mutex to block a killed exec'ing task from exiting, right?