From: Joel Fernandes <joel@joelfernandes.org>
To: Jann Horn <jannh@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Daniel Colascione <dancol@google.com>,
Christian Brauner <christian@brauner.io>,
Andrew Lutomirski <luto@kernel.org>,
David Howells <dhowells@redhat.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Linux API <linux-api@vger.kernel.org>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
Kees Cook <keescook@chromium.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Jonathan Kowalski <bl0pbl33p@gmail.com>,
"Dmitry V. Levin" <ldv@altlinux.org>,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Nagarathnam Muthusamy <nagarathnam.muthusamy@oracle.com>,
Aleksa Sarai <cyphar@cyphar.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH v2 0/5] pid: add pidfd_open()
Date: Sun, 31 Mar 2019 00:08:10 -0400 [thread overview]
Message-ID: <20190331040810.GB189578@google.com> (raw)
In-Reply-To: <CAG48ez387kGbD_dLqEbZ1U9rKFbfP0EF9cMVjQT6nwc9=Y9CNw@mail.gmail.com>
On Sun, Mar 31, 2019 at 04:34:57AM +0200, Jann Horn wrote:
> On Sun, Mar 31, 2019 at 3:07 AM Joel Fernandes <joel@joelfernandes.org> wrote:
> > As I said I don't really care about "pidfd" solving any racing issues with
> > /proc/<pid>/* accesses - because I still find it hard to imagine that the pid
> > number can be reused easily from the time you know which <pid> to deal with,
> > to the time when you want to read, say, the /proc/<pid>/status file.
>
> There have been several Android security bugs related to PID reuse.
Yes PID reuse will be a problem till we have pidfd_clone and
pidfd_send_signal (and any other pidfd related syscalls). I've never denied
PID reuse is *currently* a problem and the set of pidfd syscalls being
proposed are designed to avoid those. So I'm not fully sure what you mean.
Anyway, I would love to see those security bugs you mentioned if you could
point me to them.
> > I am yet
> > to see any real data to show that such overflow happens - you literally need
> > 32k process deaths and forks in such a short time frame
>
> This seems very inaccurate to me.
>
> The time frame in which the PID has to wrap around is not the time
> between process death and use of the PID. It is the time between *the
> creation* of the old process and the use of the PID. Consider the
> following sequence of events:
>
> - process A starts with PID 1000
> - some time passes in which some process repeatedly forks, with PIDs
> wrapping around to 999
> - process B starts an attempt to access process A (using PID 1000)
> - process A dies
> - process C spawns with PID 1000
> - process B accidentally accesses process C
>
> Also, it's probably worth clarifying that here, "processes" means "threads".
>
> If there are a lot of active processes, that reduces the number of
> times you have to clone() to get the PID to wrap around.
Ok, that's fair and I take your point. But I wonder what access you're
talking about, is it killing the process? If yes, pidfd_clone +
pidfd_send_signal will solve that in the race free way without relying on the
PID number. Is it accessing /proc/<pid>/? then see below.
> > and on 64-bit, that
> > number is really high
>
> Which number is really high on 64-bit? Checking on a walleye phone,
> pid_max is still only 32768:
>
> walleye:/ # cat /proc/sys/kernel/pid_max
> 32768
> walleye:/ #
Ok. I was talking about the theoretical limit of pid_max on a 64-bit
platform. But since we are talking about NOT relying on the PID number in the
first place, we can move on from this point.
> > that its not even an issue. And if this is really an
> > issue, then you can just open a handle to /proc/<pid> at process creation
> > time and keep it around. If the <pid> is reused, you can still use openat(2)
> > on that handle without any races.
>
> But not if you want to implement something like killall in a
> race-free way, for example.
I am not at all talking about killing processes in your last quote of my
email above, I'm talking about access to /proc/<pid>/ files.
As I said, at the time of process creation, you can obtain an fd by opening
/proc/<pid>/ and keep it open. Then you can do an openat(2) on that fd
without worrying at <pid> reuse, no? And then access all the files that way.
As for killall in Android. I don't think that "killing processes by name" is
relied on for the runtime operation of Android. That would be a very bad
idea. Low memory killer does not kill processes by name. It kills processes
by the PID number using kill(2) which we'd like to replace with
pidfd_send_signal.
Again if you want to convince Linus about having a "pidfd to procfd"
conversion mechanism, then by all means go for it. I just don't think it is
urgently necessary (and others may disagree with me on this), but I wouldn't
care if such a mechanism existed either. Whatever we do, I just want the
notion of "pidfd" to be consistent as I mentioned in my previous email.
thank you!
- Joel
next prev parent reply other threads:[~2019-03-31 4:08 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-29 15:54 [PATCH v2 0/5] pid: add pidfd_open() Christian Brauner
2019-03-29 15:54 ` [PATCH v2 1/5] Make anon_inodes unconditional Christian Brauner
2019-03-29 15:54 ` [PATCH v2 2/5] pid: add pidfd_open() Christian Brauner
2019-03-29 23:45 ` Jann Horn
2019-03-29 23:55 ` Christian Brauner
2019-03-30 11:53 ` Jürg Billeter
2019-03-30 14:37 ` Christian Brauner
2019-03-30 14:51 ` Jonathan Kowalski
2019-03-29 15:54 ` [PATCH v2 3/5] signal: support pidfd_open() with pidfd_send_signal() Christian Brauner
2019-03-29 15:54 ` [PATCH v2 4/5] signal: PIDFD_SIGNAL_TID threads via pidfds Christian Brauner
2019-03-30 1:06 ` Jann Horn
2019-03-30 1:22 ` Christian Brauner
2019-03-30 1:34 ` Christian Brauner
2019-03-30 1:42 ` Christian Brauner
2019-03-29 15:54 ` [PATCH v2 5/5] tests: add pidfd_open() tests Christian Brauner
2019-03-30 16:09 ` [PATCH v2 0/5] pid: add pidfd_open() Linus Torvalds
2019-03-30 16:11 ` Daniel Colascione
2019-03-30 16:16 ` Linus Torvalds
2019-03-30 16:18 ` Linus Torvalds
2019-03-31 1:07 ` Joel Fernandes
2019-03-31 2:34 ` Jann Horn
2019-03-31 4:08 ` Joel Fernandes [this message]
2019-03-31 4:46 ` Jann Horn
2019-03-31 14:52 ` Linus Torvalds
2019-03-31 15:05 ` Christian Brauner
2019-03-31 15:21 ` Daniel Colascione
2019-03-31 15:33 ` Jonathan Kowalski
2019-03-30 16:19 ` Christian Brauner
2019-03-30 16:24 ` Linus Torvalds
2019-03-30 16:34 ` Daniel Colascione
2019-03-30 16:38 ` Christian Brauner
2019-03-30 17:04 ` Linus Torvalds
2019-03-30 17:12 ` Christian Brauner
2019-03-30 17:24 ` Linus Torvalds
2019-03-30 17:37 ` Christian Brauner
2019-03-30 17:50 ` Jonathan Kowalski
2019-03-30 17:52 ` Christian Brauner
2019-03-30 17:59 ` Jonathan Kowalski
2019-03-30 18:02 ` Christian Brauner
2019-03-30 18:00 ` Jann Horn
2019-03-31 20:09 ` Andy Lutomirski
2019-03-31 21:03 ` Linus Torvalds
2019-03-31 21:10 ` Christian Brauner
2019-03-31 21:17 ` Linus Torvalds
2019-03-31 22:03 ` Christian Brauner
2019-03-31 22:16 ` Linus Torvalds
2019-03-31 22:33 ` Christian Brauner
2019-04-01 0:52 ` Jann Horn
2019-04-01 8:47 ` Yann Droneaud
2019-04-01 10:03 ` Jonathan Kowalski
2019-03-31 23:40 ` Linus Torvalds
2019-04-01 0:09 ` Al Viro
2019-04-01 0:18 ` Linus Torvalds
2019-04-01 0:21 ` Christian Brauner
2019-04-01 6:37 ` Al Viro
2019-04-01 6:41 ` Al Viro
2019-03-31 22:03 ` Jonathan Kowalski
2019-04-01 2:13 ` Andy Lutomirski
2019-04-01 11:40 ` Aleksa Sarai
2019-04-01 15:36 ` Linus Torvalds
2019-04-01 15:47 ` Christian Brauner
2019-04-01 15:55 ` Daniel Colascione
2019-04-01 16:01 ` Linus Torvalds
2019-04-01 16:13 ` Daniel Colascione
2019-04-01 19:42 ` Christian Brauner
2019-04-01 21:30 ` Linus Torvalds
2019-04-01 21:58 ` Jonathan Kowalski
2019-04-01 22:13 ` Linus Torvalds
2019-04-01 22:34 ` Daniel Colascione
2019-04-01 16:07 ` Jonathan Kowalski
2019-04-01 16:15 ` Linus Torvalds
2019-04-01 16:27 ` Jonathan Kowalski
2019-04-01 16:21 ` Daniel Colascione
2019-04-01 16:29 ` Linus Torvalds
2019-04-01 16:45 ` Daniel Colascione
2019-04-01 17:00 ` David Laight
2019-04-01 17:32 ` Linus Torvalds
2019-04-02 11:03 ` Florian Weimer
2019-04-01 16:10 ` Andy Lutomirski
2019-04-01 12:04 ` Christian Brauner
2019-04-01 13:43 ` Jann Horn
2019-03-31 21:19 ` Christian Brauner
2019-03-30 16:37 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190331040810.GB189578@google.com \
--to=joel@joelfernandes.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bl0pbl33p@gmail.com \
--cc=christian@brauner.io \
--cc=cyphar@cyphar.com \
--cc=dancol@google.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=khlebnikov@yandex-team.ru \
--cc=ldv@altlinux.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=nagarathnam.muthusamy@oracle.com \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).