From: Oleg Nesterov <oleg@redhat.com>
To: Matthew Dempsky <mdempsky@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Julien Tinnes <jln@chromium.org>,
Roland McGrath <mcgrathr@chromium.org>,
Jan Kratochvil <jan.kratochvil@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5] ptrace: Fix fork event messages across pid namespaces
Date: Wed, 30 Apr 2014 13:51:55 +0200 [thread overview]
Message-ID: <20140430115155.GA6077@redhat.com> (raw)
In-Reply-To: <1398818077-25107-1-git-send-email-mdempsky@chromium.org>
On 04/29, Matthew Dempsky wrote:
>
> On Tue, Apr 29, 2014 at 3:11 PM, Andrew Morton <akpm@linux-foundation.org> wrote:
> > More Oleg review would be nice, please ;)
>
> FWIW, Oleg "acked" v4 earlier in the thread. Are you asking for
> further review from him beyond that?
Yes, still/again
Acked-by: Oleg Nesterov <oleg@redhat.com>
> > Well that's a scary comment. If we're going to leave the code in this
> > state then please carefully describe (within this comment) the
> > *consequences* of the race. Does the kernel crash? Give away your ssh
> > keys? If not then what.
>
> Sorry, I can see how that comment could be scary without proper
> context. I added another sentence explaining the consequences are
> limited to the ptracer receiving a bogus pid_t value from
> PTRACE_GETEVENTMSG.
>
> > And how would userspace recognize and/or recover from the race?
>
> If the ptracer attaches via PTRACE_ATTACH, then there shouldn't be a
> race: the ptracer can't use PTRACE_SETOPTIONS to request fork events
> until after the child has already stopped. So any SIGTRAP fork events
> that it receives before using PTRACE_SETOPTIONS it should disregard,
> because it hasn't asked the kernel to send them yet.
>
> If the ptracer attaches via PTRACE_SEIZE and also requests fork events
> at the same time, then it would need to discard the first SIGTRAP it
> receives for the child if:
>
> 1. it's a fork event;
> 2. the ptracer can't otherwise prove the fork happened after the
> PTRACE_SEIZE rather than concurrently; and
> 3. the ptracer is concerned a ptracer from a different pid namespace
> may have just detached.
And I think we should just ignore this very unlikely and harmless race.
We do not see a simple way to close it and in fact this ptrace_event() is
inherently racy anyway. Even without namespaces, if we race with DETACH +
ATTACH, the new tracer gets the correct child's pid, but the child can be
already untraced.
_Perhaps_ we can do something better later (to remind, we can setup
->ptrace_message beforehand and change ATTACH to clear it), but this is
more subtle and needs more changes.
This patch is straightforward, and it fixes the old/known problem: currently
this pid_t is always wrong unless the tracer is from the root namespace.
Oleg.
next prev parent reply other threads:[~2014-04-30 11:52 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1396288478-1314-1-git-send-email-mdempsky@chromium.org>
[not found] ` <20140331181651.GA27686@redhat.com>
[not found] ` <CAF52+S5i7oqJnJ1NN0bk5Vg=CiYrussw0AunteE72kMMcWkeJA@mail.gmail.com>
2014-04-01 18:52 ` [PATCH v2] Fix ptrace events across pid namespaces Oleg Nesterov
2014-04-01 20:44 ` Matthew Dempsky
2014-04-01 22:29 ` [PATCH v3] ptrace: Fix fork event messages " Matthew Dempsky
2014-04-02 0:39 ` Matthew Dempsky
2014-04-02 14:58 ` Oleg Nesterov
2014-04-02 15:44 ` [PATCH 0/1] pid_namespace: pidns_get() should check task_active_pid_ns() != NULL Oleg Nesterov
2014-04-02 15:45 ` [PATCH 1/1] " Oleg Nesterov
2014-04-02 16:53 ` Eric W. Biederman
2014-04-02 15:58 ` Oleg Nesterov
2014-04-02 22:01 ` Eric W. Biederman
2014-04-02 21:58 ` [PATCH v3] ptrace: Fix fork event messages across pid namespaces Matthew Dempsky
2014-04-02 22:37 ` Matthew Dempsky
2014-04-07 19:24 ` Oleg Nesterov
2014-04-03 2:26 ` [PATCH v4] " Matthew Dempsky
2014-04-03 15:44 ` Oleg Nesterov
2014-04-03 16:13 ` Oleg Nesterov
2014-04-03 18:07 ` Matthew Dempsky
2014-04-07 19:06 ` Oleg Nesterov
2014-04-29 20:20 ` [RESEND PATCH " Matthew Dempsky
2014-04-29 22:11 ` Andrew Morton
2014-04-30 0:34 ` [PATCH v5] " Matthew Dempsky
2014-04-30 11:51 ` Oleg Nesterov [this message]
2014-04-30 20:16 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140430115155.GA6077@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=jan.kratochvil@redhat.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrathr@chromium.org \
--cc=mdempsky@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.