From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
Tom Gundersen <teg@jklm.no>,
David Herrmann <dh.herrmann@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.18 32/47] fork: record start_time late
Date: Fri, 11 Jan 2019 15:08:17 +0100 [thread overview]
Message-ID: <20190111131000.231010024@linuxfoundation.org> (raw)
In-Reply-To: <20190111130956.170952125@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Herrmann <dh.herrmann@gmail.com>
commit 7b55851367136b1efd84d98fea81ba57a98304cf upstream.
This changes the fork(2) syscall to record the process start_time after
initializing the basic task structure but still before making the new
process visible to user-space.
Technically, we could record the start_time anytime during fork(2). But
this might lead to scenarios where a start_time is recorded long before
a process becomes visible to user-space. For instance, with
userfaultfd(2) and TLS, user-space can delay the execution of fork(2)
for an indefinite amount of time (and will, if this causes network
access, or similar).
By recording the start_time late, it much closer reflects the point in
time where the process becomes live and can be observed by other
processes.
Lastly, this makes it much harder for user-space to predict and control
the start_time they get assigned. Previously, user-space could fork a
process and stall it in copy_thread_tls() before its pid is allocated,
but after its start_time is recorded. This can be misused to later-on
cycle through PIDs and resume the stalled fork(2) yielding a process
that has the same pid and start_time as a process that existed before.
This can be used to circumvent security systems that identify processes
by their pid+start_time combination.
Even though user-space was always aware that start_time recording is
flaky (but several projects are known to still rely on start_time-based
identification), changing the start_time to be recorded late will help
mitigate existing attacks and make it much harder for user-space to
control the start_time a process gets assigned.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Tom Gundersen <teg@jklm.no>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/fork.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1321,8 +1321,6 @@ static struct task_struct *copy_process(
posix_cpu_timers_init(p);
- p->start_time = ktime_get_ns();
- p->real_start_time = ktime_get_boot_ns();
p->io_context = NULL;
p->audit_context = NULL;
if (clone_flags & CLONE_THREAD)
@@ -1487,6 +1485,17 @@ static struct task_struct *copy_process(
spin_lock(¤t->sighand->siglock);
/*
+ * From this point on we must avoid any synchronous user-space
+ * communication until we take the tasklist-lock. In particular, we do
+ * not want user-space to be able to predict the process start-time by
+ * stalling fork(2) after we recorded the start_time but before it is
+ * visible to the system.
+ */
+
+ p->start_time = ktime_get_ns();
+ p->real_start_time = ktime_get_boot_ns();
+
+ /*
* Copy seccomp details explicitly here, in case they were changed
* before holding sighand lock.
*/
next prev parent reply other threads:[~2019-01-11 14:15 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 14:07 [PATCH 3.18 00/47] 3.18.132-stable review Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 01/47] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 02/47] USB: serial: option: add HP lt4132 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 03/47] mmc: core: Reset HPI enabled state during re-init and in case of errors Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 04/47] mmc: omap_hsmmc: fix DMA API warning Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 05/47] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 06/47] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 07/47] x86/mtrr: Dont copy uninitialized gentry fields back to userspace Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 08/47] ax25: fix a use-after-free in ax25_fillin_cb() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 09/47] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 10/47] ipv6: explicitly initialize udp6_addr in udp_sock_create6() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 11/47] isdn: fix kernel-infoleak in capi_unlocked_ioctl Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 12/47] netrom: fix locking in nr_find_socket() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 13/47] packet: validate address length Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 14/47] packet: validate address length if non-zero Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 15/47] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 16/47] vhost: make sure used idx is seen before log in vhost_add_used_n() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 17/47] VSOCK: Send reset control packet when socket is partially bound Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 18/47] xen/netfront: tolerate frags with no data Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 19/47] sock: Make sock->sk_stamp thread-safe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 20/47] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 21/47] usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 22/47] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 23/47] ext4: fix possible use after free in ext4_quota_enable Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 24/47] ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 25/47] ext4: force inode writes when nfsd calls commit_metadata() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 26/47] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 27/47] media: vivid: free bitmap_cap when updating std/timings/etc Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 28/47] MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 29/47] MIPS: Align kernel load address to 64KB Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 30/47] CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 31/47] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown Greg Kroah-Hartman
2019-01-11 14:08 ` Greg Kroah-Hartman [this message]
2019-01-11 14:08 ` [PATCH 3.18 33/47] sunrpc: fix cache_head leak due to queued request Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 34/47] sunrpc: use SVC_NET() in svcauth_gss_* functions Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 35/47] ALSA: cs46xx: Potential NULL dereference in probe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 36/47] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 37/47] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 38/47] dlm: fixed memory leaks after failed ls_remove_names allocation Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 39/47] dlm: possible memory leak on error path in create_lkb() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 40/47] dlm: lost put_lkb on error path in receive_convert() and receive_unlock() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 41/47] dlm: memory leaks on error path in dlm_user_request() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 42/47] gfs2: Fix loop in gfs2_rbm_find Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 43/47] b43: Fix error in cordic routine Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 44/47] 9p/net: put a lower bound on msize Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 45/47] ceph: dont update importing caps mseq when handing cap export Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 46/47] genwqe: Fix size check Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 47/47] power: supply: olpc_battery: correct the temperature units Greg Kroah-Hartman
2019-01-11 21:50 ` [PATCH 3.18 00/47] 3.18.132-stable review shuah
2019-01-12 14:58 ` Harsh Shandilya
2019-01-12 17:42 ` Guenter Roeck
2019-01-13 7:44 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190111131000.231010024@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dh.herrmann@gmail.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=teg@jklm.no \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).