Re: [PATCH 3/3] seccomp: introduce read protection for struct seccomp

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tycho Andersen <tycho@tycho.ws>
To: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH 3/3] seccomp: introduce read protection for struct seccomp
Date: Fri, 28 Sep 2018 15:35:57 -0600	[thread overview]
Message-ID: <20180928213557.GD18045@cisco.lan> (raw)
In-Reply-To: <CAG48ez1CpPmk6BFOztA-=w1U-pvaNBXou6JpcfMKx_ELGSwDVA@mail.gmail.com>

On Fri, Sep 28, 2018 at 11:10:48PM +0200, Jann Horn wrote:
> On Fri, Sep 28, 2018 at 10:56 PM Tycho Andersen <tycho@tycho.ws> wrote:
> >
> > On Fri, Sep 28, 2018 at 10:33:34PM +0200, Jann Horn wrote:
> > > On Fri, Sep 28, 2018 at 5:47 PM Tycho Andersen <tycho@tycho.ws> wrote:
> > > > As Jann pointed out, there is a race between SECCOMP_FILTER_FLAG_TSYNC and
> > > > the ptrace code that can inspect a filter of another process. Let's
> > > > introduce read locking into the two ptrace accesses so that we don't race.
> > >
> > > Hmm. Is that true? The ptrace code uses get_nth_filter(), which holds
> > > the siglock while grabbing the seccomp filter and bumping its
> > > refcount. And TSYNC happens from seccomp_set_mode_filter(), which
> > > takes the siglock. So this looks okay to me?
> >
> > Oh, yes, you're right. So I guess we should just change the comment to
> > say we're using siglock to represent the read lock.
> 
> Hmm... actually, looking at this closer, I think you only need the
> siglock for writing. As far as I can tell, any read (no matter if
> current or non-current) can just use READ_ONCE(), because once a
> seccomp filter is in a task's seccomp filter chain, it can't be freed
> until the task reaches free_task() and calls put_seccomp_filter() from
> there. And if the task whose seccomp filter you're trying to read can
> reach free_task(), you have bigger problems.

Ok; looks like get_nth_filter() took the siglock anyway. Since we get
the filters in these two functions in get_nth_filter(), I think it's
enough just to just,

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f65d47650ac1..79d833ed4c34 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1001,7 +1001,7 @@ static struct seccomp_filter *get_nth_filter(struct task_struct *task,
 		return ERR_PTR(-EINVAL);
 	}
 
-	orig = task->seccomp.filter;
+	orig = READ_ONCE(task->seccomp.filter);
 	__get_seccomp_filter(orig);
 	spin_unlock_irq(&task->sighand->siglock);
 

since once it's returned from get_nth_filter() we don't need to worry
about multiple accesses?

Tycho

next prev parent reply	other threads:[~2018-09-28 21:36 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-28 15:46 [PATCH 1/3] seccomp: change return type of seccomp_get_metadata to int Tycho Andersen
2018-09-28 15:46 ` [PATCH 2/3] seccomp: change return type of seccomp_get_filter " Tycho Andersen
2018-09-28 15:46 ` [PATCH 3/3] seccomp: introduce read protection for struct seccomp Tycho Andersen
2018-09-28 20:33   ` Jann Horn
2018-09-28 20:56     ` Tycho Andersen
2018-09-28 21:10       ` Jann Horn
2018-09-28 21:35         ` Tycho Andersen [this message]
2018-09-28 21:54           ` Jann Horn
2018-09-28 22:02             ` Tycho Andersen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f65d47650ac dfblob:79d833ed4c3 )
 OR (
bs:"Re: [PATCH 3/3] seccomp: introduce read protection for struct seccomp" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180928213557.GD18045@cisco.lan \
    --to=tycho@tycho.ws \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.