From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55929C433EF for ; Wed, 17 Nov 2021 19:09:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3CB8A61B93 for ; Wed, 17 Nov 2021 19:09:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240366AbhKQTMf (ORCPT ); Wed, 17 Nov 2021 14:12:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37206 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239360AbhKQTMa (ORCPT ); Wed, 17 Nov 2021 14:12:30 -0500 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58621C061570 for ; Wed, 17 Nov 2021 11:09:31 -0800 (PST) Received: by mail-ed1-x533.google.com with SMTP id w1so15604234edd.10 for ; Wed, 17 Nov 2021 11:09:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kylehuey.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nAnJBXzy+j+SKp6UpMgT2UvLgTzhaItKFp8lDVP8bOI=; b=D/3ogEfrPySNe/eJXcy3nGapEBgOa+bO4XpTO1fHqcR4gIHauBxVp2s2PTCG9AaMaK 6HWXJWr8+wvWMSmhSClExdjqN7fIaWTvI88IJ4lZYAdC8nYnUZjTmKgMelEW/vM09ccU Qks8YqTAJMBzwsuPvYilwCulORTIf0cXhHfvOl1OhxuXmyIY27x1FpiDzKLUaqgkYwKB C4v3tbaU8kPkutz5A52B6ixWVsBCyKtWU+GHbDqkM/8L0FIBtcnKvUHfdrsn54sJNHuv M4Jx0a+DRZ3mZ/77iFaGAc4PDOLRQcqNNvk+V2hm+kIow9E02xqjp0Qbp8qHiPFiZ+qY E0/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nAnJBXzy+j+SKp6UpMgT2UvLgTzhaItKFp8lDVP8bOI=; b=DBraJ3zIV5271EUBVeVFFbGgvnp8B+9rmYqb3k8xoCp6eWRyVISjgvOSIGVF59qv/t KIZwULyos7+n+WS80wv1+ADWErztCtudfM8EY2GhrsXbMwk/S7dWUtWmaq8n1dySJaz7 yv18y1dzeJhrjs+UB90AcHNUyy9Yl8fCr7UGTjBzNDQRyuViIyiR2RO1vgGNuiFe205P ptnHJStNJCVJjAePeTVp+DSfSM977tIk8/HvVBXIIYN5h1XNHp+pJjZjkC39gqrgnDti SfoDZRpz8qpvm/WIEjWRpa4oIbZCo2+nUG7hZkfhFN4nlX/0u5YAB7NGMUH79NUfyup8 neUw== X-Gm-Message-State: AOAM53171diecmKUjGldzXfQTqBMs3K44Y0I1e/NTxowcVP+snXcgR5V ErrPJduRc+Eht3q9EZGPjAofxCfFBvA2nhHRBrsAug== X-Google-Smtp-Source: ABdhPJwIlcvt3E3+hGdYyhRGnWjeE/5pkW4ELjc8AjM1yuatRjqoO/EXVWvQGxDOJO05Ugr9afaP14IXrq92digDejs= X-Received: by 2002:a05:6402:1a58:: with SMTP id bf24mr1604937edb.16.1637176169875; Wed, 17 Nov 2021 11:09:29 -0800 (PST) MIME-Version: 1.0 References: <202111171049.3F9C5F1@keescook> In-Reply-To: From: Kyle Huey Date: Wed, 17 Nov 2021 11:09:14 -0800 Message-ID: Subject: Re: [REGRESSION] 5.16rc1: SA_IMMUTABLE breaks debuggers To: Kees Cook Cc: "Eric W. Biederman" , Andrea Righi , Shuah Khan , Alexei Starovoitov , Andy Lutomirski , Will Drewry , "open list:KERNEL SELFTEST FRAMEWORK" , bpf@vger.kernel.org, open list , linux-hardening@vger.kernel.org, Linus Torvalds , "Robert O'Callahan" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 17, 2021 at 11:05 AM Kyle Huey wrote: > > On Wed, Nov 17, 2021 at 10:51 AM Kees Cook wrote: > > > > On Wed, Nov 17, 2021 at 10:47:13AM -0800, Kyle Huey wrote: > > > rr, a userspace record and replay debugger[0], is completely broken on > > > 5.16rc1. I bisected this to 00b06da29cf9dc633cdba87acd3f57f4df3fd5c7. > > > > > > That patch makes two changes, it blocks sigaction from changing signal > > > handlers once the kernel has decided to force the program to take a > > > signal and it also stops notifying ptracers of the signal in the same > > > circumstances. The latter behavior is just wrong. There's no reason > > > that ptrace should not be able to observe and even change > > > (non-SIGKILL) forced signals. It should be reverted. > > > > > > This behavior change is also observable in gdb. If you take a program > > > that sets SIGSYS to SIG_IGN and then raises a SIGSYS via > > > SECCOMP_RET_TRAP and run it under gdb on a good kernel gdb will stop > > > when the SIGSYS is raised, let you inspect program state, etc. After > > > the SA_IMMUTABLE change gdb won't stop until the program has already > > > died of SIGSYS. > > > > Ah, hm, this was trying to fix the case where a program trips > > SECCOMP_RET_KILL (which is a "fatal SIGSYS"), and had been unobservable > > before. I guess the fix was too broad... > > Perhaps I don't understand precisely what you mean by this, but gdb's > behavior for a program that is SECCOMP_RET_KILLed was not changed by > this patch (the SIGSYS is not observed until after program exit before > or after this change). Ah, maybe that behavior changed in 5.15 (my "before" here is a 5.14 kernel). I would argue that the debugger seeing the SIGSYS for SECCOMP_RET_KILL is desirable though ... - Kyle