From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D6EFC2D0A7 for ; Fri, 11 Sep 2020 00:21:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3BFD921D81 for ; Fri, 11 Sep 2020 00:21:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="SijTA2JB" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725554AbgIKAVA (ORCPT ); Thu, 10 Sep 2020 20:21:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725283AbgIKAU4 (ORCPT ); Thu, 10 Sep 2020 20:20:56 -0400 Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DD3DC061756 for ; Thu, 10 Sep 2020 17:20:55 -0700 (PDT) Received: by mail-ej1-x644.google.com with SMTP id z22so11347979ejl.7 for ; Thu, 10 Sep 2020 17:20:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IyAAsSx7nFV/dq/SzL35IFpVJ+Yn15D4pJKs31u9n78=; b=SijTA2JBh2igQyUFhnGY43n8X9KiE/1xBjEYzMfT6RvTVPBWKIf2S98WFdxu9pntLY 3FWTWsLcOBbZZP+uQKQQFz4ztqRQDTHyvvYDTLpZ/Yx9mHMQtmxixW2u+2Iv/F2pmzx0 9Shwb8Rd2BYkk5HW11A7nj4k+Z9OU+m6AuaF06ISqWp+Wo0Dxl3Ftte6cYPtPbWW1yZR JLLqu2Dvol/xqraTUN3AMxutXgpUnMwIbPWTFot3PWxuMyymTw8Kv6tYWx+E0bQ1fw0S kVuDX8lq+sS+iKyOplLtlkXB4ZB4Y983W8fe/h7lUU2TIMbQmGvwGw79xY/i1sapn5fC JATA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IyAAsSx7nFV/dq/SzL35IFpVJ+Yn15D4pJKs31u9n78=; b=E4dtKWDn2cGcG5JuX9N8GbP++cl10W3Z8xCK7Zf3GtGNjlGendTBqfCOpRVjJU9CAH aVeuFdwCcj4IVMFjqvcpWqD+a2QVpw41oe48DKw+sCVQ0mYpDzouHnQi2C23CVywveL/ +ACah4QGWGMWxvqcrHotgGDTRSTKhRt820yu6t9t6uhChQplUIzJWandr436kdlmdfR4 ZC6VYMSGHFVjCEadUgXtTFRuNsIBBKJWUrK4mbe2ACTwgwXJ3DJAs2nCng8a/3naACb3 FujSW+rCQX4cAxTIyCeKMzdwXkRn9//P6V/N0FSiqrq0hnJVESrQkANg2VjUm74mbyB3 3UJw== X-Gm-Message-State: AOAM531ay8YPHIQ56gWAbRfFSE+y7SNwnohTNENJxsKGj/El18rspmSN 9wly4A1ZiFFk2F6HPjs9nSXI2bwiPDEX3S06Vcuggg== X-Google-Smtp-Source: ABdhPJwL5k8zeWDPprG5Mrub7BhXpdPNFjl1twNR0wyPykMPOKHhl8JhWG8zU9BNykiHZwGZd8sG1UHbIbv8RO4puvk= X-Received: by 2002:a17:906:a0c2:: with SMTP id bh2mr11898964ejb.493.1599783653707; Thu, 10 Sep 2020 17:20:53 -0700 (PDT) MIME-Version: 1.0 References: <20200910202107.3799376-1-keescook@chromium.org> <20200910202107.3799376-7-keescook@chromium.org> <202009101649.2A0BF95@keescook> In-Reply-To: <202009101649.2A0BF95@keescook> From: Jann Horn Date: Fri, 11 Sep 2020 02:20:27 +0200 Message-ID: Subject: Re: [RFC PATCH 6/6] security/fbfam: Mitigate a fork brute force attack To: Kees Cook Cc: Kernel Hardening , John Wood , Matthew Wilcox , Jonathan Corbet , Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Luis Chamberlain , Iurii Zaikin , James Morris , "Serge E. Hallyn" , linux-doc@vger.kernel.org, kernel list , linux-fsdevel , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Fri, Sep 11, 2020 at 1:56 AM Kees Cook wrote: > On Thu, Sep 10, 2020 at 01:21:07PM -0700, Kees Cook wrote: > > From: John Wood > > > > In order to mitigate a fork brute force attack it is necessary to kill > > all the offending tasks. This tasks are all the ones that share the > > statistical data with the current task (the task that has crashed). > > > > Since the attack detection is done in the function fbfam_handle_attack() > > that is called every time a core dump is triggered, only is needed to > > kill the others tasks that share the same statistical data, not the > > current one as this is in the path to be killed. [...] > > + for_each_process(p) { > > + if (p == current || p->fbfam_stats != stats) > > + continue; > > + > > + do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID); > > + pr_warn("fbfam: Offending process with PID %d killed\n", > > + p->pid); [...] > > + > > + killed += 1; > > + if (killed >= to_kill) > > + break; > > + } > > + > > + rcu_read_unlock(); > > Can't newly created processes escape this RCU read lock? I think this > need alternate locking, or something in the task_alloc hook that will > block any new process from being created within the stats group. Good point; the proper way to deal with this would probably be to take the tasklist_lock in read mode around this loop (with read_lock(&tasklist_lock) / read_unlock(&tasklist_lock)), which pairs with the write_lock_irq(&tasklist_lock) in copy_process(). Thanks to the fatal_signal_pending() check while holding the lock in copy_process(), that would be race-free - any fork() that has not yet inserted the new task into the global task list would wait for us to drop the tasklist_lock, then bail out at the fatal_signal_pending() check.