From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA42BC3F2D8 for ; Mon, 2 Mar 2020 17:37:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 813EE222C4 for ; Mon, 2 Mar 2020 17:37:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tvXmHHsd" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 813EE222C4 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 2305D6B0003; Mon, 2 Mar 2020 12:37:56 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 1E0C66B0005; Mon, 2 Mar 2020 12:37:56 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0A9536B0006; Mon, 2 Mar 2020 12:37:56 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0234.hostedemail.com [216.40.44.234]) by kanga.kvack.org (Postfix) with ESMTP id E3BB46B0003 for ; Mon, 2 Mar 2020 12:37:55 -0500 (EST) Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 7C058181AEF07 for ; Mon, 2 Mar 2020 17:37:55 +0000 (UTC) X-FDA: 76551130110.08.milk86_623dd7cb4ef18 X-HE-Tag: milk86_623dd7cb4ef18 X-Filterd-Recvd-Size: 8573 Received: from mail-ot1-f68.google.com (mail-ot1-f68.google.com [209.85.210.68]) by imf28.hostedemail.com (Postfix) with ESMTP for ; Mon, 2 Mar 2020 17:37:54 +0000 (UTC) Received: by mail-ot1-f68.google.com with SMTP id j5so29193otn.10 for ; Mon, 02 Mar 2020 09:37:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/ZAKVb1y956pqysbIHLXaqWd9Ys3FR5AQaat5ayTW2U=; b=tvXmHHsdwC2ZHXs+RdxnZLvNNTOIQtXQo8+c4NIG9SwSrx3X2qfM4PFM54/x5xFwJp cfFlhvQc0zBKaRaTBUYJdf4weoUwAZE/jWkqSkDz7QQA2gBwflEvwBaARHqOO3jfoZWe H3HzZ3d8YIZfEn42qsIaSNuiAQiMlVeuHwsGHfdJ91w4d3C9kQ6guQceh2DHy3g/ptV8 GD9luNMoxl/wmt0z1ZAyx7TT3Evb8ThhnGs8bzJ/crBzhPs02h3kMtaJVJfzx4+AOqh4 0/3m1NcszFU4y0wqzn15zw+AD7m87pgt2c5Z3r/ZdcO5TYFDuZe7cntLaqgpzosYUE3y +q/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/ZAKVb1y956pqysbIHLXaqWd9Ys3FR5AQaat5ayTW2U=; b=OWKKFMSnyA+JtuFb0Q/sUVb7nGCFb/qKoJhaOvRuReX/tvipTPumIyuZEmQh1qV1rU AcU0eoCcN+0OlL7LhnK1EO8sC5sSudUooBTN2l8ItVG/t7aEeWqvdY5fBtdRUV90kbxA lp2q9Hapyuxi6ZBTPLdoRzH+P/KBGWaFO8bPC5hWm12CvFe0hAioqMcXyhpj1MFFG61p ztTd2ZbGxZxPV0F3REZ8FJrABm/mQGu9KYTSFpS+bN8f5CNqQrxyoCheJdZBlogGS4D9 nqakDT0/UhRBF27D++8P5KTVOz6yX6K5EkrkCtmkVAM5+U8DBbP/TZU6TwMG+lyfkmAa RdWQ== X-Gm-Message-State: ANhLgQ1huEU6DenbE2sWZJuKDgsjlUDxiNYnQWzWvCqE8bdzjTPItfVi qQO0FEoS1ZprxoSwM8y5CwyieDLKiLfhIJ+7N6/cIQ== X-Google-Smtp-Source: ADFU+vtHoXXslAIJ9PskP6M3hEdJM3ncRGi/PdHfdHEyUI3a6T8IzVZn8NhUDRURCHCZlf8D86bKwYn9TcyfdRsVwhY= X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr256675oti.32.1583170673984; Mon, 02 Mar 2020 09:37:53 -0800 (PST) MIME-Version: 1.0 References: <20200301185244.zkofjus6xtgkx4s3@wittgenstein> <87a74zmfc9.fsf@x220.int.ebiederm.org> <87k142lpfz.fsf@x220.int.ebiederm.org> <875zfmloir.fsf@x220.int.ebiederm.org> In-Reply-To: From: Jann Horn Date: Mon, 2 Mar 2020 18:37:27 +0100 Message-ID: Subject: Re: [PATCHv2] exec: Fix a deadlock in ptrace To: Bernd Edlinger Cc: "Eric W. Biederman" , James Morris , Christian Brauner , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , Kees Cook , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" , linux-security-module Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Mar 2, 2020 at 6:01 PM Bernd Edlinger wrote: > On 3/2/20 5:43 PM, Jann Horn wrote: > > On Mon, Mar 2, 2020 at 5:19 PM Eric W. Biederman wrote: > >> > >> Bernd Edlinger writes: > >> > >>> On 3/2/20 4:57 PM, Eric W. Biederman wrote: > >>>> Bernd Edlinger writes: > >>>> > >>>>> > >>>>> I tried this with s/EACCESS/EACCES/. > >>>>> > >>>>> The test case in this patch is not fixed, but strace does not freeze, > >>>>> at least with my setup where it did freeze repeatable. > >>>> > >>>> Thanks, That is what I was aiming at. > >>>> > >>>> So we have one method we can pursue to fix this in practice. > >>>> > >>>>> That is > >>>>> obviously because it bypasses the cred_guard_mutex. But all other > >>>>> process that access this file still freeze, and cannot be > >>>>> interrupted except with kill -9. > >>>>> > >>>>> However that smells like a denial of service, that this > >>>>> simple test case which can be executed by guest, creates a /proc/$pid/mem > >>>>> that freezes any process, even root, when it looks at it. > >>>>> I mean: "ln -s README /proc/$pid/mem" would be a nice bomb. > >>>> > >>>> Yes. Your the test case in your patch a variant of the original > >>>> problem. > >>>> > >>>> > >>>> I have been staring at this trying to understand the fundamentals of the > >>>> original deeper problem. > >>>> > >>>> The current scope of cred_guard_mutex in exec is because being ptraced > >>>> causes suid exec to act differently. So we need to know early if we are > >>>> ptraced. > >>>> > >>> > >>> It has a second use, that it prevents two threads entering execve, > >>> which would probably result in disaster. > >> > >> Exec can fail with an error code up until de_thread. de_thread causes > >> exec to fail with the error code -EAGAIN for the second thread to get > >> into de_thread. > >> > >> So no. The cred_guard_mutex is not needed for that case at all. > >> > >>>> If that case did not exist we could reduce the scope of the > >>>> cred_guard_mutex in exec to where your patch puts the cred_change_mutex. > >>>> > >>>> I am starting to think reworking how we deal with ptrace and exec is the > >>>> way to solve this problem. > >> > >> > >> I am 99% convinced that the fix is to move cred_guard_mutex down. > > > > "move cred_guard_mutex down" as in "take it once we've already set up > > the new process, past the point of no return"? > > > >> Then right after we take cred_guard_mutex do: > >> if (ptraced) { > >> use_original_creds(); > >> } > >> > >> And call it a day. > >> > >> The details suck but I am 99% certain that would solve everyones > >> problems, and not be too bad to audit either. > > > > Ah, hmm, that sounds like it'll work fine at least when no LSMs are involved. > > > > SELinux normally doesn't do the execution-degrading thing, it just > > blocks the execution completely - see their selinux_bprm_set_creds() > > hook. So I think they'd still need to set some state on the task that > > says "we're currently in the middle of an execution where the target > > task will run in context X", and then check against that in the > > ptrace_may_access hook. Or I suppose they could just kill the task > > near the end of execve, although that'd be kinda ugly. > > > > We have current->in_execve for that, right? > I think when the cred_guard_mutex is taken only in the critical section, > then PTRACE_ATTACH could take the guard_mutex, and look at current->in_execve, > and just return -EAGAIN in that case, right, everybody happy :) It's probably going to mean that things like strace will just randomly fail to attach to processes if they happen to be in the middle of execve... but I guess that works?