From: Jann Horn <jannh@google.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Denys Vlasenko <vda.linux@googlemail.com>,
Kees Cook <keescook@chromium.org>,
Vlastimil Babka <vbabka@suse.cz>,
"Liam R . Howlett" <liam.howlett@oracle.com>
Subject: Re: [PATCH] binfmt_elf: Take the mmap lock when walking the VMA list
Date: Mon, 31 Jan 2022 18:13:42 +0100 [thread overview]
Message-ID: <CAG48ez3MCs8d8hjBfRSQxwUTW3o64iaSwxF=UEVtk+SEme0chQ@mail.gmail.com> (raw)
In-Reply-To: <YfgPwPvopO1aqcVC@casper.infradead.org>
On Mon, Jan 31, 2022 at 5:35 PM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Mon, Jan 31, 2022 at 10:26:11AM -0600, Eric W. Biederman wrote:
> > Matthew Wilcox <willy@infradead.org> writes:
> >
> > > On Mon, Jan 31, 2022 at 10:03:31AM -0600, Eric W. Biederman wrote:
> > >> "Matthew Wilcox (Oracle)" <willy@infradead.org> writes:
> > >>
> > >> > I'm not sure if the VMA list can change under us, but dump_vma_snapshot()
> > >> > is very careful to take the mmap_lock in write mode. We only need to
> > >> > take it in read mode here as we do not care if the size of the stack
> > >> > VMA changes underneath us.
> > >> >
> > >> > If it can be changed underneath us, this is a potential use-after-free
> > >> > for a multithreaded process which is dumping core.
> > >>
> > >> The problem is not multi-threaded process so much as processes that
> > >> share their mm.
> > >
> > > I don't understand the difference. I appreciate that another process can
> > > get read access to an mm through, eg, /proc, but how can another process
> > > (that isn't a thread of this process) modify the VMAs?
> >
> > There are a couple of ways.
> >
> > A classic way is a multi-threads process can call vfork, and the
> > mm_struct is shared with the child until exec is called.
>
> While true, I thought the semantics of vfork() were that the parent
> was suspended. Given that, it can't core dump until the child execs
> ... right?
>
> > A process can do this more deliberately by forking a child using
> > clone(CLONE_VM) and not including CLONE_THREAD. Supporting this case
> > is a hold over from before CLONE_THREAD was supported in the kernel and
> > such processes were used to simulate threads.
The syscall clone() is kind of the generalized version of fork() and
vfork(), and it lets you create fun combinations of these things (some
of which might be useful, others which make little sense), and e.g.
vfork() is basically just clone() with CLONE_VM (for sharing address
space) plus CLONE_VFORK (block until child exits or execs) plus
SIGCHLD (child should send SIGCHLD to parent when it terminates).
(Some combinations are disallowed, but you can IIRC make things like
threads with separate FD tables, or processes that share virtual
memory and signal handler tables but aren't actual threads.)
Note that until commit 0258b5fd7c71 ("coredump: Limit coredumps to a
single thread group", first in 5.16), coredumps would always tear down
every process that shares the MM before dumping, and the coredumping
code was trying to rely on that to protect against concurrency. (Which
at some point didn't actually work anymore, see below...)
> That is a multithreaded process then! Maybe not in the strict POSIX
> compliance sense, but the intent is to be a multithreaded process.
> ie multiple threads of execution, sharing an address space.
current_is_single_threaded() agrees with you. :P
> > It also happens that there are subsystems in the kernel that do things
> > like kthread_use_mm that can also be modifying the mm during a coredump.
>
> Yikes. That's terrifying. It's really legitimate for a kthread to
> attach to a process and start tearing down VMAs?
I don't know anything about kthreads doing this, but a fun way to
remotely mess with VMAs is userfaultfd. See
https://bugs.chromium.org/p/project-zero/issues/detail?id=1790 ("Issue
1790: Linux: missing locking between ELF coredump code and userfaultfd
VMA modification") for the long version - but the gist is that
userfaultfd can set/clear flags on virtual address ranges (implemented
as flags on VMAs), and that may involve splitting VMAs (when the
boundaries of the specified range don't correspond to existing VMA
boundaries) or merging VMAs (when the flags of adjacent VMAs become
equal). And userfaultfd can by design be used remotely on another
process (so long as that process first created the userfaultfd and
then handed it over).
That's why I added that locking in the coredumping code.
> > > Uhh .. that seems like it needs a lot more understanding of binfmt_elf
> > > than I currently possess. I'd rather spend my time working on folios
> > > than learning much more about binfmt_elf. I was just trying to fix an
> > > assertion failure with the maple tree patches (we now assert that you're
> > > holding a lock when walking the list of VMAs).
> >
> > Fair enough. I will put it on my list of things to address.
>
> Thanks. Now that I've disclosed it's a UAF, I hope you're able to
> get to it soon. Otherwise we should put this band-aid in for now
> and you can address it properly in the fullness of time.
next prev parent reply other threads:[~2022-01-31 17:15 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 15:37 [PATCH] binfmt_elf: Take the mmap lock when walking the VMA list Matthew Wilcox (Oracle)
2022-01-31 16:03 ` Eric W. Biederman
2022-01-31 16:13 ` Matthew Wilcox
2022-01-31 16:26 ` Eric W. Biederman
2022-01-31 16:35 ` Matthew Wilcox
2022-01-31 17:13 ` Jann Horn [this message]
2022-01-31 18:44 ` [PATCH 0/5] Fix fill_files_note Eric W. Biederman
2022-01-31 18:46 ` [PATCH 1/5] coredump: Move definition of struct coredump_params into coredump.h Eric W. Biederman
2022-02-01 1:54 ` kernel test robot
2022-02-01 4:07 ` kernel test robot
2022-01-31 18:46 ` [PATCH 2/5] coredump: Snapshot the vmas in do_coredump Eric W. Biederman
2022-02-01 18:32 ` Jann Horn
2022-02-02 15:41 ` Eric W. Biederman
2022-01-31 18:46 ` [PATCH 3/5] coredump: Remove the WARN_ON in dump_vma_snapshot Eric W. Biederman
2022-02-01 18:35 ` Jann Horn
2022-01-31 18:47 ` [PATCH 4/5] coredump/elf: Pass coredump_params into fill_note_info Eric W. Biederman
2022-02-01 18:40 ` Jann Horn
2022-01-31 18:47 ` [PATCH 5/5] coredump: Use the vma snapshot in fill_files_note Eric W. Biederman
2022-02-01 19:02 ` Jann Horn
2022-02-02 14:46 ` Eric W. Biederman
2022-01-31 20:57 ` [PATCH 0/5] Fix fill_files_note Kees Cook
2022-03-08 19:35 ` [GIT PULL] " Eric W. Biederman
2022-03-08 21:49 ` Kees Cook
2022-03-09 16:29 ` Eric W. Biederman
2022-03-09 16:32 ` Kees Cook
2022-03-09 20:27 ` Eric W. Biederman
2022-03-09 21:45 ` Kees Cook
2022-01-31 17:38 ` [PATCH] binfmt_elf: Take the mmap lock when walking the VMA list Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG48ez3MCs8d8hjBfRSQxwUTW3o64iaSwxF=UEVtk+SEme0chQ@mail.gmail.com' \
--to=jannh@google.com \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=liam.howlett@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vbabka@suse.cz \
--cc=vda.linux@googlemail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).