From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from thejh.net ([37.221.195.125]:46506 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754816AbcIRTIO (ORCPT ); Sun, 18 Sep 2016 15:08:14 -0400 Date: Sun, 18 Sep 2016 21:08:10 +0200 From: Jann Horn To: Ben Hutchings Cc: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: Re: [PATCH 2/9] exec: turn self_exec_id into self_privunit_id Message-ID: <20160918190810.GD17170@pc.thejh.net> References: <1474211117-16674-1-git-send-email-jann@thejh.net> <1474211117-16674-3-git-send-email-jann@thejh.net> <1474222407.2428.2.camel@decadent.org.uk> <20160918183137.GA17170@pc.thejh.net> <20160918184507.GT10601@decadent.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/3yNEOqWowh/8j+e" Content-Disposition: inline In-Reply-To: <20160918184507.GT10601@decadent.org.uk> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: --/3yNEOqWowh/8j+e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 18, 2016 at 07:45:07PM +0100, Ben Hutchings wrote: > On Sun, Sep 18, 2016 at 08:31:37PM +0200, Jann Horn wrote: > > On Sun, Sep 18, 2016 at 07:13:27PM +0100, Ben Hutchings wrote: > > > On Sun, 2016-09-18 at 17:05 +0200, Jann Horn wrote: > > > > This ensures that self_privunit_id ("privilege unit ID") is only sh= ared by > > > > processes that share the mm_struct and the signal_struct; not just > > > > spatially, but also temporally. In other words, if you do execve() = or > > > > clone() without CLONE_THREAD, you get a new privunit_id that has ne= ver been > > > > used before. > > > [...] > > > > +void increment_privunit_counter(void) > > > > +{ > > > > + BUILD_BUG_ON(NR_CPUS > (1 << 16)); > > > > + current->self_privunit_id =3D this_cpu_add_return(exec_counter, N= R_CPUS); > > > > +} > > > [...] > > >=20 > > > This will wrap incorrectly if NR_CPUS is not a power of 2 (which is > > > unusual but allowed). > >=20 > > If this wraps, hell breaks loose permission-wise - processes that have > > no relationship whatsoever with each other will suddenly be able to ptr= ace > > each other. > >=20 > > The idea is that it never wraps. >=20 > That's what I suspected, but wasn't sure. In that case you can > initialise each counter to U64_MAX/NR_CPUS*cpu and increment by > 1 each time, which might be more efficient on some architectures. Makes sense. Will do that! --/3yNEOqWowh/8j+e Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJX3uYaAAoJED4KNFJOeCOo/eUP/3SiD9ILuj6LmzxAfBBZBx6H ZXsD0BhnM+U1TtJl5nQlQ9IhPTgqLDkJdkR63rgxd+ihDYhd1HEsy+i3JV2gDeaa 0vlH8nR8h+ZmPdBT3hYSrnvsOgNbebJ1pqexSOtH+vPcIQJPLR7dnz/TwnzssSNg ulLqmLQQICxiYyBNdNG+asNtnZ+kiSLiKLIbSokkV0fbmCL65wSuggeorilQf/Sg PGjtOmIhwfn9gtzs1JxolDZqIUpZOLQBDhJC7YH/WXWnVMKMrjdmJNkWlgC4Tl31 R9zVVgrWrIgJi4yveNrXnMOjoy9LdTzgr5RoiQbpE6bjXSDe9PON5XFRQWDQO+6e +DK0DZieXHhEa8KZeK3mfwUhKemfbjtAlObtlo/I9lbqGa1SC3Bkq1avfbxGre5u 4UH+wVB52G7YD8cMZ+QfLYx8U7mE7IHzWPBz6x3RDz7BQe7DnYaCvIUR7tg73i46 U2LfhHBb0UAKhYZ22A730Rj3hWXbZgMygdCkuWMEuoUzZx34sGtK/WjmxI9RY+gn qkuuHFtlwuKbsUYwp3cwzIBNqt8eVTmDpghAGg8B2ocGde56b6B/npp+HCYDUSB2 VV3ADVaRO3o77dXCjri/s0S3lOhQaGE6zPvV92Jpd9Cs7s3gR+coOvddVga5z+5j tfDgHthzzEoziZEJzgis =7I87 -----END PGP SIGNATURE----- --/3yNEOqWowh/8j+e--