From: Al Viro <viro@ZenIV.linux.org.uk>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh@veritas.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Joe Malicki <jmalicki@metacarta.com>,
Michael Itz <mitz@metacarta.com>,
Kenneth Baker <bakerk@metacarta.com>,
Chris Wright <chrisw@sous-sol.org>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't)
Date: Mon, 30 Mar 2009 02:08:43 +0100 [thread overview]
Message-ID: <20090330010843.GM28946@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20090330000338.GB32199@redhat.com>
On Mon, Mar 30, 2009 at 02:03:38AM +0200, Oleg Nesterov wrote:
> On 03/30, Oleg Nesterov wrote:
> >
> > On 03/29, Al Viro wrote:
> > >
> > > On Sun, Mar 29, 2009 at 11:36:35PM +0200, Oleg Nesterov wrote:
> > > > > ... or just do that to fs_struct. After finding that there's no outside
> > > > > users. Commenst?
> > > >
> > > > This is even worse. Not only we race with our sub-threads, we race
> > > > with CLONE_FS processes.
> > > >
> > > > We can't mark fs_struct after finding that there's no outside users
> > > > lockless. Because we can't know whether this is "after" or not, we
> > > > can't trust "atomic_read(fs->count) <= n_fs".
> > >
> > > We can lock fs_struct in question, go through the threads, then mark
> > > or bail out. With cloning a reference to fs_struct protected by the
> > > same lock.
> >
> > Yes, this is what I meant, copy_fs() needs this lock too,
> >
> > > FWIW, I'm not at all sure that we want atomic_t for refcount in that
> > > case...
> >
> > I think you are right, because exit_fs() should take fs->lock as well.
> >
> > But, again. What whould we do when check_unsafe_exec() takes fs->lock
> > and sees that this ->fs is already marked?
>
> Ah, I am stupid. There is no another process if this flag is set.
So...
* one can always dereference current->fs
* nobody can change task->fs for seen-by-scheduler task other than
current (we can, of course, do that for a task we'd just allocated in clone
before anyone else has seen it)
* all changes of current->fs happen under task_lock *and* excl ->lock
of old value of current->fs.
* anybody can dereference task->fs while holding task_lock(task)
* ->lock nests inside task_lock
* freeing happens only when the last reference is gone *and* all
tasks that used to hold such references has already gone through task_unlock
* all refcount changes happen under excl ->lock
* changes of ->root and ->pwd happen under excl ->lock
* read access to ->root and ->pwd should be done under shared ->lock;
to use the contents past the unlock you need to grab references to path in
question while holding lock
* cloning a reference is done while holding ->lock shared, fails with
-EAGAIN if fs_struct is marked "under exec"
* mark in question is set and cleared with ->lock excl.
* check_unsafe_exec() locks current->fs shared, goes through all
threads comparing their ->fs with our, if the number doesn't match - bail
out. Otherwise we mark it "under exec".
* in the end of execve() (failure or success) we clear the mark.
* all reassignments of task->fs are either to NULL or to new instance
(never seen by anybody) or to &init_fs.
* task with ->fs == &init_fs may not call execve(); those are kernel
threads and they must get ->fs unshared before they can do anything of that
kind (otherwise we'd have no end of trouble with chdir() done by exec'ed
binary affecting hell knows what else).
Does anybody see any holes in the above?
next prev parent reply other threads:[~2009-03-30 1:11 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-28 23:16 [PATCH 1/4] compat_do_execve should unshare_files Hugh Dickins
2009-03-28 23:20 ` [PATCH 2/4] fix setuid sometimes doesn't Hugh Dickins
2009-03-29 0:53 ` Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't) Oleg Nesterov
2009-03-29 4:10 ` Al Viro
2009-03-29 4:14 ` Al Viro
2009-03-29 4:52 ` Oleg Nesterov
2009-03-29 5:55 ` Al Viro
2009-03-29 6:01 ` Al Viro
2009-03-29 21:36 ` Oleg Nesterov
2009-03-29 22:20 ` Al Viro
2009-03-29 23:56 ` Oleg Nesterov
2009-03-30 0:03 ` Oleg Nesterov
2009-03-30 1:08 ` Al Viro [this message]
2009-03-30 1:13 ` Al Viro
2009-03-30 1:36 ` Oleg Nesterov
2009-03-30 1:40 ` Oleg Nesterov
2009-03-30 12:31 ` Al Viro
2009-03-30 14:32 ` Hugh Dickins
2009-03-31 6:16 ` Al Viro
2009-04-01 0:28 ` Hugh Dickins
2009-04-01 2:38 ` Al Viro
2009-04-01 3:03 ` Al Viro
2009-04-01 11:25 ` Hugh Dickins
2009-04-06 15:31 ` Oleg Nesterov
2009-04-19 16:30 ` Hugh Dickins
2009-04-21 16:10 ` Oleg Nesterov
2009-04-21 16:31 ` Linus Torvalds
2009-04-21 17:15 ` Oleg Nesterov
2009-04-21 17:35 ` Linus Torvalds
2009-04-21 19:39 ` Hugh Dickins
2009-04-23 23:01 ` [PATCH 1/2] do_execve() must not clear fs->in_exec if it was set by another thread Oleg Nesterov
2009-04-23 23:18 ` Roland McGrath
2009-04-23 23:31 ` Al Viro
2009-04-24 11:57 ` [PATCH 3/2] check_unsafe_exec: rcu_read_unlock Hugh Dickins
2009-04-24 14:34 ` Oleg Nesterov
2009-04-24 4:20 ` [PATCH 1/2] do_execve() must not clear fs->in_exec if it was set by another thread Hugh Dickins
2009-04-23 23:02 ` [PATCH 2/2] check_unsafe_exec: s/lock_task_sighand/rcu_read_lock/ Oleg Nesterov
2009-04-23 23:18 ` Roland McGrath
2009-04-24 4:29 ` Hugh Dickins
2009-04-01 11:18 ` Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't) Hugh Dickins
2009-04-06 15:51 ` Oleg Nesterov
2009-04-19 16:44 ` Hugh Dickins
2009-04-21 16:39 ` Oleg Nesterov
2009-03-30 23:45 ` Serge E. Hallyn
2009-03-31 6:19 ` Al Viro
2009-03-28 23:21 ` [PATCH 3/4] fix setuid sometimes wouldn't Hugh Dickins
2009-03-29 11:19 ` Alexey Dobriyan
2009-03-29 21:48 ` Oleg Nesterov
2009-03-29 22:37 ` Al Viro
2009-03-28 23:23 ` [PATCH 4/4] Annotate struct fs_struct's usage count restriction Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090330010843.GM28946@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bakerk@metacarta.com \
--cc=chrisw@sous-sol.org \
--cc=dhowells@redhat.com \
--cc=gregkh@suse.de \
--cc=hugh@veritas.com \
--cc=jmalicki@metacarta.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mitz@metacarta.com \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).