From: ebiederm@xmission.com (Eric W. Biederman)
To: Oleg Nesterov <oleg@redhat.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Mika Penttilä" <mika.penttila@nextfour.com>,
"Aleksa Sarai" <asarai@suse.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Attila Fazekas" <afazekas@redhat.com>,
"Jann Horn" <jann@thejh.net>, "Kees Cook" <keescook@chromium.org>,
"Michal Hocko" <mhocko@kernel.org>,
"Ulrich Obergfell" <uobergfe@redhat.com>,
linux-kernel@vger.kernel.org,
"David Howells" <dhowells@redhat.com>
Subject: Re: [PATCH V2 1/2] exec: don't wait for zombie threads with cred_guard_mutex held
Date: Fri, 17 Feb 2017 17:42:09 +1300 [thread overview]
Message-ID: <87k28po2ce.fsf@xmission.com> (raw)
In-Reply-To: <20170213180454.GA2858@redhat.com> (Oleg Nesterov's message of "Mon, 13 Feb 2017 19:04:54 +0100")
Oleg Nesterov <oleg@redhat.com> writes:
> de_thread() waits for other threads with ->cred_guard_mutex held and this
> is really bad because the time is not bounded, debugger can delay the exit
> and this lock has a lot of users (mostly abusers imo) in fs/proc and more.
> And this leads to deadlock if debugger tries to take the same mutex:
Oleg. I looked at the history in proc of users of cred_guard_mutex
and the proc users are grabbing cred_guard_mutex for the proper
semantic reasons. To avoid races with setuid exec that could result in
an information disclosure.
I do agree that a mutex is the wrong data structure for the job
cred_guard_mutex is performing. The job of sorting ensuring debuggers
and proc processes see either the old version or the new version of the
task.
I need to play with the code but I suspect the best we can handle this
preventing both security issues and problems in the future is to create
a new task struct and populate it appropriate with the new data from
exec (at least in the case of setuid exec).
I am thinking of generalizing the case of a non-leader exec where we
have to assume the leaders pid.
I don't yet know what the performance implications would be but
that would clean the users up a lot.
On that score I believe we can incrementally approach that point and
only grab the cred_guard_mutex in exec if we are performing an exec that
changes the processes credentials.
Right now I don't think it introduces any new security information
disclosures but the moving of flush_signal_handlers outside of
cred_guard_mutex feels wrong.
Eric
next prev parent reply other threads:[~2017-02-17 4:46 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 14:14 [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-02-13 14:15 ` [PATCH 1/2] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov
2017-02-13 16:12 ` kbuild test robot
2017-02-13 16:47 ` Oleg Nesterov
2017-02-13 16:39 ` kbuild test robot
2017-02-13 17:27 ` Mika Penttilä
2017-02-13 18:01 ` Oleg Nesterov
2017-02-13 18:04 ` [PATCH V2 " Oleg Nesterov
2017-02-16 11:42 ` Eric W. Biederman
2017-02-20 15:22 ` Oleg Nesterov
2017-02-20 15:36 ` Oleg Nesterov
2017-02-20 22:30 ` Eric W. Biederman
2017-02-21 17:53 ` Oleg Nesterov
2017-02-21 20:20 ` Eric W. Biederman
2017-02-22 17:41 ` Oleg Nesterov
2017-02-17 4:42 ` Eric W. Biederman [this message]
2017-02-20 15:50 ` Oleg Nesterov
2017-02-13 14:15 ` [PATCH 2/2] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov
2017-02-24 16:03 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-03-03 1:05 ` Eric W. Biederman
2017-03-03 17:33 ` Oleg Nesterov
2017-03-03 18:23 ` Eric W. Biederman
2017-03-03 18:59 ` Eric W. Biederman
2017-03-03 20:06 ` Eric W. Biederman
2017-03-03 20:11 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Eric W. Biederman
2017-03-04 17:03 ` Oleg Nesterov
2017-03-30 8:07 ` Eric W. Biederman
2017-04-01 5:11 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Eric W. Biederman
2017-04-01 5:14 ` [RFC][PATCH 1/2] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-01 5:16 ` [RFC][PATCH 2/2] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-02 15:35 ` Oleg Nesterov
2017-04-02 18:53 ` Eric W. Biederman
2017-04-03 18:12 ` Oleg Nesterov
2017-04-03 21:04 ` Eric W. Biederman
2017-04-05 16:44 ` Oleg Nesterov
2017-04-02 15:38 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Oleg Nesterov
2017-04-02 22:50 ` [RFC][PATCH v2 0/5] " Eric W. Biederman
2017-04-02 22:51 ` [RFC][PATCH v2 1/5] ptrace: Don't wait in PTRACE_O_TRACEEXIT for exec or coredump Eric W. Biederman
2017-04-05 16:19 ` Oleg Nesterov
2017-04-02 22:51 ` [RFC][PATCH v2 2/5] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-02 22:52 ` [RFC][PATCH v2 3/5] clone: Disallown CLONE_THREAD with a shared sighand_struct Eric W. Biederman
2017-04-05 16:24 ` Oleg Nesterov
2017-04-05 17:34 ` Eric W. Biederman
2017-04-05 18:11 ` Oleg Nesterov
2017-04-02 22:53 ` [RFC][PATCH v2 4/5] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-05 16:15 ` Oleg Nesterov
2017-04-02 22:57 ` [RFC][PATCH v2 5/5] signal: Don't allow accessing signal_struct by old threads after exec Eric W. Biederman
2017-04-05 16:18 ` Oleg Nesterov
2017-04-05 18:16 ` Eric W. Biederman
2017-04-06 15:48 ` Oleg Nesterov
2017-04-02 16:15 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Oleg Nesterov
2017-04-02 21:07 ` Eric W. Biederman
2017-04-03 18:37 ` Oleg Nesterov
2017-04-03 22:49 ` Eric W. Biederman
2017-04-03 22:49 ` scope of cred_guard_mutex Eric W. Biederman
2017-04-05 16:08 ` Oleg Nesterov
2017-04-05 16:11 ` Kees Cook
2017-04-05 17:53 ` Eric W. Biederman
2017-04-05 18:15 ` Oleg Nesterov
2017-04-06 15:55 ` Oleg Nesterov
2017-04-07 22:07 ` Kees Cook
2017-09-04 3:19 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Robert O'Callahan
2017-03-04 16:54 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k28po2ce.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=afazekas@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=asarai@suse.com \
--cc=dhowells@redhat.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhocko@kernel.org \
--cc=mika.penttila@nextfour.com \
--cc=oleg@redhat.com \
--cc=uobergfe@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).