From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53C4DC3F2DA for ; Mon, 2 Mar 2020 17:37:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 244D722B48 for ; Mon, 2 Mar 2020 17:37:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="tvXmHHsd" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727250AbgCBRhz (ORCPT ); Mon, 2 Mar 2020 12:37:55 -0500 Received: from mail-ot1-f67.google.com ([209.85.210.67]:45057 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726997AbgCBRhz (ORCPT ); Mon, 2 Mar 2020 12:37:55 -0500 Received: by mail-ot1-f67.google.com with SMTP id f21so14529otp.12 for ; Mon, 02 Mar 2020 09:37:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/ZAKVb1y956pqysbIHLXaqWd9Ys3FR5AQaat5ayTW2U=; b=tvXmHHsdwC2ZHXs+RdxnZLvNNTOIQtXQo8+c4NIG9SwSrx3X2qfM4PFM54/x5xFwJp cfFlhvQc0zBKaRaTBUYJdf4weoUwAZE/jWkqSkDz7QQA2gBwflEvwBaARHqOO3jfoZWe H3HzZ3d8YIZfEn42qsIaSNuiAQiMlVeuHwsGHfdJ91w4d3C9kQ6guQceh2DHy3g/ptV8 GD9luNMoxl/wmt0z1ZAyx7TT3Evb8ThhnGs8bzJ/crBzhPs02h3kMtaJVJfzx4+AOqh4 0/3m1NcszFU4y0wqzn15zw+AD7m87pgt2c5Z3r/ZdcO5TYFDuZe7cntLaqgpzosYUE3y +q/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/ZAKVb1y956pqysbIHLXaqWd9Ys3FR5AQaat5ayTW2U=; b=KunwKsiZnDFx2x0xXovqsPhhxNoUtA1g4t7dDZQve2bOitFxYWL9j1hMr6PbRF11WO JahZdEjA+990War+5tr89grYcCJWHFFfIKafiCBTQSt4TvDIC0U6gGC7x5TrivuZbs8p ZGQJTifXbv6l9438wAHLdB1ypfKFZCHOWEShpfzNPl2Zv9GcJxBwnNh/azIMseiS5O9U pUCo54ehyv8l/fcS/zZ9+Qmtg+UVy1KjC7Is1UfDzS7gTr8mxldZiuG+m7ac4nDxcteM 2/KkbUCqq0mzytuy7ohz6Ub2xTg5Zu/m7z6MGGp2R/r5SUbidTEKFEB1AzLwR2/vQi1V KgcQ== X-Gm-Message-State: ANhLgQ06vomMz2YhDD0kEyvCjHngoAgFlyQ5AgO+FCf5FsIX81IFhFr9 TVYE27I4r0vPQIMXMeQqfa8Q7e+QhJB0mZb74NtpPA== X-Google-Smtp-Source: ADFU+vtHoXXslAIJ9PskP6M3hEdJM3ncRGi/PdHfdHEyUI3a6T8IzVZn8NhUDRURCHCZlf8D86bKwYn9TcyfdRsVwhY= X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr256675oti.32.1583170673984; Mon, 02 Mar 2020 09:37:53 -0800 (PST) MIME-Version: 1.0 References: <20200301185244.zkofjus6xtgkx4s3@wittgenstein> <87a74zmfc9.fsf@x220.int.ebiederm.org> <87k142lpfz.fsf@x220.int.ebiederm.org> <875zfmloir.fsf@x220.int.ebiederm.org> In-Reply-To: From: Jann Horn Date: Mon, 2 Mar 2020 18:37:27 +0100 Message-ID: Subject: Re: [PATCHv2] exec: Fix a deadlock in ptrace To: Bernd Edlinger Cc: "Eric W. Biederman" , James Morris , Christian Brauner , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , Kees Cook , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 2, 2020 at 6:01 PM Bernd Edlinger wrote: > On 3/2/20 5:43 PM, Jann Horn wrote: > > On Mon, Mar 2, 2020 at 5:19 PM Eric W. Biederman wrote: > >> > >> Bernd Edlinger writes: > >> > >>> On 3/2/20 4:57 PM, Eric W. Biederman wrote: > >>>> Bernd Edlinger writes: > >>>> > >>>>> > >>>>> I tried this with s/EACCESS/EACCES/. > >>>>> > >>>>> The test case in this patch is not fixed, but strace does not freeze, > >>>>> at least with my setup where it did freeze repeatable. > >>>> > >>>> Thanks, That is what I was aiming at. > >>>> > >>>> So we have one method we can pursue to fix this in practice. > >>>> > >>>>> That is > >>>>> obviously because it bypasses the cred_guard_mutex. But all other > >>>>> process that access this file still freeze, and cannot be > >>>>> interrupted except with kill -9. > >>>>> > >>>>> However that smells like a denial of service, that this > >>>>> simple test case which can be executed by guest, creates a /proc/$pid/mem > >>>>> that freezes any process, even root, when it looks at it. > >>>>> I mean: "ln -s README /proc/$pid/mem" would be a nice bomb. > >>>> > >>>> Yes. Your the test case in your patch a variant of the original > >>>> problem. > >>>> > >>>> > >>>> I have been staring at this trying to understand the fundamentals of the > >>>> original deeper problem. > >>>> > >>>> The current scope of cred_guard_mutex in exec is because being ptraced > >>>> causes suid exec to act differently. So we need to know early if we are > >>>> ptraced. > >>>> > >>> > >>> It has a second use, that it prevents two threads entering execve, > >>> which would probably result in disaster. > >> > >> Exec can fail with an error code up until de_thread. de_thread causes > >> exec to fail with the error code -EAGAIN for the second thread to get > >> into de_thread. > >> > >> So no. The cred_guard_mutex is not needed for that case at all. > >> > >>>> If that case did not exist we could reduce the scope of the > >>>> cred_guard_mutex in exec to where your patch puts the cred_change_mutex. > >>>> > >>>> I am starting to think reworking how we deal with ptrace and exec is the > >>>> way to solve this problem. > >> > >> > >> I am 99% convinced that the fix is to move cred_guard_mutex down. > > > > "move cred_guard_mutex down" as in "take it once we've already set up > > the new process, past the point of no return"? > > > >> Then right after we take cred_guard_mutex do: > >> if (ptraced) { > >> use_original_creds(); > >> } > >> > >> And call it a day. > >> > >> The details suck but I am 99% certain that would solve everyones > >> problems, and not be too bad to audit either. > > > > Ah, hmm, that sounds like it'll work fine at least when no LSMs are involved. > > > > SELinux normally doesn't do the execution-degrading thing, it just > > blocks the execution completely - see their selinux_bprm_set_creds() > > hook. So I think they'd still need to set some state on the task that > > says "we're currently in the middle of an execution where the target > > task will run in context X", and then check against that in the > > ptrace_may_access hook. Or I suppose they could just kill the task > > near the end of execve, although that'd be kinda ugly. > > > > We have current->in_execve for that, right? > I think when the cred_guard_mutex is taken only in the critical section, > then PTRACE_ATTACH could take the guard_mutex, and look at current->in_execve, > and just return -EAGAIN in that case, right, everybody happy :) It's probably going to mean that things like strace will just randomly fail to attach to processes if they happen to be in the middle of execve... but I guess that works?