From: Dmitry Safonov <dima@arista.com>
To: linux-kernel@vger.kernel.org
Cc: Dmitry Safonov <0x7f454c46@gmail.com>,
Dmitry Safonov <dima@arista.com>, Adrian Reber <adrian@lisas.de>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrei Vagin <avagin@openvz.org>,
Andy Lutomirski <luto@kernel.org>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Ingo Molnar <mingo@redhat.com>, Oleg Nesterov <oleg@redhat.com>,
Pavel Emelyanov <xemul@virtuozzo.com>,
Thomas Gleixner <tglx@linutronix.de>,
containers@lists.linux-foundation.org,
linux-fsdevel@vger.kernel.org
Subject: [PATCH 2/9] restart_block: Prevent userspace set part of the block
Date: Mon, 9 Sep 2019 11:23:33 +0100 [thread overview]
Message-ID: <20190909102340.8592-3-dima@arista.com> (raw)
In-Reply-To: <20190909102340.8592-1-dima@arista.com>
Parameters for nanosleep() could be chosen the way to make
hrtimer_nanosleep() fail. In that case changes to restarter_block bring
it into inconsistent state. Luckily, it won't corrupt anything critical
for poll() or futex(). But as it's not evident that userspace may do
tricks in the union changing restart_block for other @fs(s) - than
further changes in the code may create a potential local vulnerability.
I.e., if userspace could do tricks with poll() or futex() than
corruption to @clockid or @type would trigger BUG() in timer code.
Set @fn every time restart_block is changed, preventing surprises.
Also, add a comment for any new restart_block user.
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
include/linux/restart_block.h | 4 ++++
kernel/time/hrtimer.c | 8 +++++---
kernel/time/posix-cpu-timers.c | 6 +++---
kernel/time/posix-stubs.c | 8 +++++---
kernel/time/posix-timers.c | 8 +++++---
5 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/include/linux/restart_block.h b/include/linux/restart_block.h
index e5078cae5567..e66e982105f4 100644
--- a/include/linux/restart_block.h
+++ b/include/linux/restart_block.h
@@ -21,6 +21,10 @@ enum timespec_type {
/*
* System call restart block.
+ *
+ * Safety rule: if you change anything inside @restart_block,
+ * set @fn to keep the structure in consistent state and prevent
+ * userspace tricks in the union.
*/
struct restart_block {
long (*fn)(struct restart_block *);
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 5ee77f1a8a92..4ba2b50d068f 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1762,8 +1762,9 @@ SYSCALL_DEFINE2(nanosleep, struct __kernel_timespec __user *, rqtp,
if (!timespec64_valid(&tu))
return -EINVAL;
- current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
- current->restart_block.nanosleep.rmtp = rmtp;
+ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
+ current->restart_block.nanosleep.rmtp = rmtp;
return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
}
@@ -1782,7 +1783,8 @@ SYSCALL_DEFINE2(nanosleep_time32, struct old_timespec32 __user *, rqtp,
if (!timespec64_valid(&tu))
return -EINVAL;
- current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
+ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
current->restart_block.nanosleep.compat_rmtp = rmtp;
return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC);
}
diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
index 0a426f4e3125..b4dddf74dd15 100644
--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -1243,6 +1243,8 @@ void set_process_cpu_timer(struct task_struct *tsk, unsigned int clock_idx,
tick_dep_set_signal(tsk->signal, TICK_DEP_BIT_POSIX_TIMER);
}
+static long posix_cpu_nsleep_restart(struct restart_block *restart_block);
+
static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
const struct timespec64 *rqtp)
{
@@ -1330,6 +1332,7 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
* Report back to the user the time still remaining.
*/
restart = ¤t->restart_block;
+ restart->fn = posix_cpu_nsleep_restart;
restart->nanosleep.expires = expires;
if (restart->nanosleep.type != TT_NONE)
error = nanosleep_copyout(restart, &it.it_value);
@@ -1338,8 +1341,6 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
return error;
}
-static long posix_cpu_nsleep_restart(struct restart_block *restart_block);
-
static int posix_cpu_nsleep(const clockid_t which_clock, int flags,
const struct timespec64 *rqtp)
{
@@ -1361,7 +1362,6 @@ static int posix_cpu_nsleep(const clockid_t which_clock, int flags,
if (flags & TIMER_ABSTIME)
return -ERESTARTNOHAND;
- restart_block->fn = posix_cpu_nsleep_restart;
restart_block->nanosleep.clockid = which_clock;
}
return error;
diff --git a/kernel/time/posix-stubs.c b/kernel/time/posix-stubs.c
index 67df65f887ac..d73039a9ca8f 100644
--- a/kernel/time/posix-stubs.c
+++ b/kernel/time/posix-stubs.c
@@ -142,8 +142,9 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags,
return -EINVAL;
if (flags & TIMER_ABSTIME)
rmtp = NULL;
- current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
- current->restart_block.nanosleep.rmtp = rmtp;
+ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
+ current->restart_block.nanosleep.rmtp = rmtp;
return hrtimer_nanosleep(&t, flags & TIMER_ABSTIME ?
HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
which_clock);
@@ -228,7 +229,8 @@ SYSCALL_DEFINE4(clock_nanosleep_time32, clockid_t, which_clock, int, flags,
return -EINVAL;
if (flags & TIMER_ABSTIME)
rmtp = NULL;
- current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
+ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
current->restart_block.nanosleep.compat_rmtp = rmtp;
return hrtimer_nanosleep(&t, flags & TIMER_ABSTIME ?
HRTIMER_MODE_ABS : HRTIMER_MODE_REL,
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index d7f2d91acdac..0ca0bfc20aff 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -1189,8 +1189,9 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags,
return -EINVAL;
if (flags & TIMER_ABSTIME)
rmtp = NULL;
- current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
- current->restart_block.nanosleep.rmtp = rmtp;
+ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE;
+ current->restart_block.nanosleep.rmtp = rmtp;
return kc->nsleep(which_clock, flags, &t);
}
@@ -1216,7 +1217,8 @@ SYSCALL_DEFINE4(clock_nanosleep_time32, clockid_t, which_clock, int, flags,
return -EINVAL;
if (flags & TIMER_ABSTIME)
rmtp = NULL;
- current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
+ current->restart_block.fn = do_no_restart_syscall;
+ current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE;
current->restart_block.nanosleep.compat_rmtp = rmtp;
return kc->nsleep(which_clock, flags, &t);
--
2.23.0
next prev parent reply other threads:[~2019-09-09 10:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-09 10:23 [PATCH 0/9] restart_block: Prepare the ground for dumping timeout Dmitry Safonov
2019-09-09 10:23 ` [PATCH 1/9] futex: Remove unused uaddr2 in restart_block Dmitry Safonov
2019-09-09 10:23 ` Dmitry Safonov [this message]
2019-09-09 10:23 ` [PATCH 3/9] select: Convert __esimate_accuracy() to ktime_t Dmitry Safonov
2019-09-09 10:23 ` [PATCH 4/9] select: Micro-optimise __estimate_accuracy() Dmitry Safonov
2019-09-09 11:18 ` Cyrill Gorcunov
2019-09-09 11:50 ` Dmitry Safonov
2019-09-09 12:14 ` Cyrill Gorcunov
2019-09-19 14:05 ` Cyrill Gorcunov
2019-09-19 14:25 ` Dmitry Safonov
2019-09-09 10:23 ` [PATCH 5/9] select: Convert select_estimate_accuracy() to take ktime_t Dmitry Safonov
2019-09-09 10:23 ` [PATCH 6/9] select: Extract common code into do_sys_ppoll() Dmitry Safonov
2019-09-09 11:15 ` kbuild test robot
2019-09-09 19:48 ` kbuild test robot
2019-09-09 10:23 ` [PATCH 7/9] select: Use ktime_t in do_sys_poll() and do_poll() Dmitry Safonov
2019-09-09 10:23 ` [PATCH 8/9] select/restart_block: Convert poll's timeout to u64 Dmitry Safonov
2019-09-09 13:07 ` David Laight
2019-09-16 15:19 ` Dmitry Safonov
2019-09-09 10:23 ` [PATCH 9/9] restart_block: Make common timeout Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190909102340.8592-3-dima@arista.com \
--to=dima@arista.com \
--cc=0x7f454c46@gmail.com \
--cc=adrian@lisas.de \
--cc=avagin@openvz.org \
--cc=containers@lists.linux-foundation.org \
--cc=gorcunov@openvz.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.