From: Hugh Dickins <hugh@veritas.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Joe Malicki <jmalicki@metacarta.com>,
Michael Itz <mitz@metacarta.com>,
Kenneth Baker <bakerk@metacarta.com>,
Chris Wright <chrisw@sous-sol.org>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't)
Date: Wed, 1 Apr 2009 01:28:01 +0100 (BST) [thread overview]
Message-ID: <Pine.LNX.4.64.0904010106310.16500@blonde.anvils> (raw)
In-Reply-To: <20090331061615.GS28946@ZenIV.linux.org.uk>
On Tue, 31 Mar 2009, Al Viro wrote:
>
> Anyway, I've got that stuff to something reasonably-looking. See the
> same branch (rebased), just 5 changesets now. Have fun. Cleanups are
> not part of that set.
Just a couple of things on that:
Minor bisectability issue: the third patch, which introduces
int unshare_fs_struct(void), needs to return 0 when it succeeds:
that gets corrected in the fourth patch.
Lockdep objects to how check_unsafe_exec nests write_lock(&p->fs_lock)
inside lock_task_sighand(p, &flags). It's right: we sometimes take
sighand->siglock in interrupt, so if such an interrupt occurred just
after you take fs_lock elsewhere, that could deadlock with this. It
seems happy with taking fs_lock just outside the lock_task_sighand.
Otherwise it looks good to me, except I keep worrying about those
EAGAINs. The more so once I noticed current->cred_exec_mutex is
already being used to handle a similar issue with ptrace. What
do you think of this rather smaller patch? which I'd much rather
send after having slept on it, since it may be embarrassingly and
obviously wrong, but tomorrow may be too late ...
fs/compat.c | 6 +++---
fs/exec.c | 6 +++---
fs/namei.c | 1 +
include/linux/fs_struct.h | 1 +
include/linux/init_task.h | 2 --
include/linux/sched.h | 1 -
kernel/cred.c | 4 +---
kernel/fork.c | 13 +++++++++++--
kernel/ptrace.c | 4 ++--
9 files changed, 22 insertions(+), 16 deletions(-)
--- 2.6.29-git8/fs/compat.c 2009-03-31 16:04:22.000000000 +0100
+++ linux/fs/compat.c 2009-04-01 00:52:26.000000000 +0100
@@ -1432,7 +1432,7 @@ int compat_do_execve(char * filename,
if (!bprm)
goto out_files;
- retval = mutex_lock_interruptible(¤t->cred_exec_mutex);
+ retval = mutex_lock_interruptible(¤t->fs->cred_exec_mutex);
if (retval < 0)
goto out_free;
current->in_execve = 1;
@@ -1489,7 +1489,7 @@ int compat_do_execve(char * filename,
/* execve succeeded */
current->in_execve = 0;
- mutex_unlock(¤t->cred_exec_mutex);
+ mutex_unlock(¤t->fs->cred_exec_mutex);
acct_update_integrals(current);
free_bprm(bprm);
if (displaced)
@@ -1508,7 +1508,7 @@ out_file:
out_unlock:
current->in_execve = 0;
- mutex_unlock(¤t->cred_exec_mutex);
+ mutex_unlock(¤t->fs->cred_exec_mutex);
out_free:
free_bprm(bprm);
--- 2.6.29-git8/fs/exec.c 2009-03-31 16:04:22.000000000 +0100
+++ linux/fs/exec.c 2009-04-01 00:52:26.000000000 +0100
@@ -1287,7 +1287,7 @@ int do_execve(char * filename,
if (!bprm)
goto out_files;
- retval = mutex_lock_interruptible(¤t->cred_exec_mutex);
+ retval = mutex_lock_interruptible(¤t->fs->cred_exec_mutex);
if (retval < 0)
goto out_free;
current->in_execve = 1;
@@ -1345,7 +1345,7 @@ int do_execve(char * filename,
/* execve succeeded */
current->in_execve = 0;
- mutex_unlock(¤t->cred_exec_mutex);
+ mutex_unlock(¤t->fs->cred_exec_mutex);
acct_update_integrals(current);
free_bprm(bprm);
if (displaced)
@@ -1364,7 +1364,7 @@ out_file:
out_unlock:
current->in_execve = 0;
- mutex_unlock(¤t->cred_exec_mutex);
+ mutex_unlock(¤t->fs->cred_exec_mutex);
out_free:
free_bprm(bprm);
--- 2.6.29-git8/fs/namei.c 2009-03-31 16:04:23.000000000 +0100
+++ linux/fs/namei.c 2009-04-01 00:52:26.000000000 +0100
@@ -2903,4 +2903,5 @@ struct fs_struct init_fs = {
.count = ATOMIC_INIT(1),
.lock = __RW_LOCK_UNLOCKED(init_fs.lock),
.umask = 0022,
+ .cred_exec_mutex = __MUTEX_INITIALIZER(init_fs.cred_exec_mutex),
};
--- 2.6.29-git8/include/linux/fs_struct.h 2009-03-31 16:04:24.000000000 +0100
+++ linux/include/linux/fs_struct.h 2009-04-01 00:52:26.000000000 +0100
@@ -11,6 +11,7 @@ struct fs_struct {
rwlock_t lock;
int umask;
struct path root, pwd;
+ struct mutex cred_exec_mutex; /* execve cred calculation mutex */
};
extern struct kmem_cache *fs_cachep;
--- 2.6.29-git8/include/linux/init_task.h 2009-03-31 16:04:24.000000000 +0100
+++ linux/include/linux/init_task.h 2009-04-01 00:52:26.000000000 +0100
@@ -157,8 +157,6 @@ extern struct cred init_cred;
.group_leader = &tsk, \
.real_cred = &init_cred, \
.cred = &init_cred, \
- .cred_exec_mutex = \
- __MUTEX_INITIALIZER(tsk.cred_exec_mutex), \
.comm = "swapper", \
.thread = INIT_THREAD, \
.fs = &init_fs, \
--- 2.6.29-git8/include/linux/sched.h 2009-03-31 16:04:25.000000000 +0100
+++ linux/include/linux/sched.h 2009-04-01 00:52:26.000000000 +0100
@@ -1250,7 +1250,6 @@ struct task_struct {
* credentials (COW) */
const struct cred *cred; /* effective (overridable) subjective task
* credentials (COW) */
- struct mutex cred_exec_mutex; /* execve vs ptrace cred calculation mutex */
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
--- 2.6.29-git8/kernel/cred.c 2009-03-23 23:12:14.000000000 +0000
+++ linux/kernel/cred.c 2009-04-01 00:52:26.000000000 +0100
@@ -167,7 +167,7 @@ EXPORT_SYMBOL(prepare_creds);
/*
* Prepare credentials for current to perform an execve()
- * - The caller must hold current->cred_exec_mutex
+ * - The caller must hold current->fs->cred_exec_mutex
*/
struct cred *prepare_exec_creds(void)
{
@@ -276,8 +276,6 @@ int copy_creds(struct task_struct *p, un
struct cred *new;
int ret;
- mutex_init(&p->cred_exec_mutex);
-
if (
#ifdef CONFIG_KEYS
!p->cred->thread_keyring &&
--- 2.6.29-git8/kernel/fork.c 2009-03-31 16:04:26.000000000 +0100
+++ linux/kernel/fork.c 2009-04-01 00:52:26.000000000 +0100
@@ -695,6 +695,7 @@ static struct fs_struct *__copy_fs_struc
fs->pwd = old->pwd;
path_get(&old->pwd);
read_unlock(&old->lock);
+ mutex_init(&fs->cred_exec_mutex);
}
return fs;
}
@@ -708,11 +709,19 @@ EXPORT_SYMBOL_GPL(copy_fs_struct);
static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
{
+ struct fs_struct *fs = current->fs;
+
if (clone_flags & CLONE_FS) {
- atomic_inc(¤t->fs->count);
+ int retval = mutex_lock_interruptible(&fs->cred_exec_mutex);
+ if (retval < 0)
+ return retval;
+ /* tsk->fs is already what we want */
+ atomic_inc(&fs->count);
+ mutex_unlock(&fs->cred_exec_mutex);
return 0;
}
- tsk->fs = __copy_fs_struct(current->fs);
+
+ tsk->fs = __copy_fs_struct(fs);
if (!tsk->fs)
return -ENOMEM;
return 0;
--- 2.6.29-git8/kernel/ptrace.c 2009-03-23 23:12:14.000000000 +0000
+++ linux/kernel/ptrace.c 2009-04-01 00:52:26.000000000 +0100
@@ -186,7 +186,7 @@ int ptrace_attach(struct task_struct *ta
/* Protect exec's credential calculations against our interference;
* SUID, SGID and LSM creds get determined differently under ptrace.
*/
- retval = mutex_lock_interruptible(¤t->cred_exec_mutex);
+ retval = mutex_lock_interruptible(¤t->fs->cred_exec_mutex);
if (retval < 0)
goto out;
@@ -230,7 +230,7 @@ repeat:
bad:
write_unlock_irqrestore(&tasklist_lock, flags);
task_unlock(task);
- mutex_unlock(¤t->cred_exec_mutex);
+ mutex_unlock(¤t->fs->cred_exec_mutex);
out:
return retval;
}
next prev parent reply other threads:[~2009-04-01 0:30 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-28 23:16 [PATCH 1/4] compat_do_execve should unshare_files Hugh Dickins
2009-03-28 23:20 ` [PATCH 2/4] fix setuid sometimes doesn't Hugh Dickins
2009-03-29 0:53 ` Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't) Oleg Nesterov
2009-03-29 4:10 ` Al Viro
2009-03-29 4:14 ` Al Viro
2009-03-29 4:52 ` Oleg Nesterov
2009-03-29 5:55 ` Al Viro
2009-03-29 6:01 ` Al Viro
2009-03-29 21:36 ` Oleg Nesterov
2009-03-29 22:20 ` Al Viro
2009-03-29 23:56 ` Oleg Nesterov
2009-03-30 0:03 ` Oleg Nesterov
2009-03-30 1:08 ` Al Viro
2009-03-30 1:13 ` Al Viro
2009-03-30 1:36 ` Oleg Nesterov
2009-03-30 1:40 ` Oleg Nesterov
2009-03-30 12:31 ` Al Viro
2009-03-30 14:32 ` Hugh Dickins
2009-03-31 6:16 ` Al Viro
2009-04-01 0:28 ` Hugh Dickins [this message]
2009-04-01 2:38 ` Al Viro
2009-04-01 3:03 ` Al Viro
2009-04-01 11:25 ` Hugh Dickins
2009-04-06 15:31 ` Oleg Nesterov
2009-04-19 16:30 ` Hugh Dickins
2009-04-21 16:10 ` Oleg Nesterov
2009-04-21 16:31 ` Linus Torvalds
2009-04-21 17:15 ` Oleg Nesterov
2009-04-21 17:35 ` Linus Torvalds
2009-04-21 19:39 ` Hugh Dickins
2009-04-23 23:01 ` [PATCH 1/2] do_execve() must not clear fs->in_exec if it was set by another thread Oleg Nesterov
2009-04-23 23:18 ` Roland McGrath
2009-04-23 23:31 ` Al Viro
2009-04-24 11:57 ` [PATCH 3/2] check_unsafe_exec: rcu_read_unlock Hugh Dickins
2009-04-24 14:34 ` Oleg Nesterov
2009-04-24 4:20 ` [PATCH 1/2] do_execve() must not clear fs->in_exec if it was set by another thread Hugh Dickins
2009-04-23 23:02 ` [PATCH 2/2] check_unsafe_exec: s/lock_task_sighand/rcu_read_lock/ Oleg Nesterov
2009-04-23 23:18 ` Roland McGrath
2009-04-24 4:29 ` Hugh Dickins
2009-04-01 11:18 ` Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't) Hugh Dickins
2009-04-06 15:51 ` Oleg Nesterov
2009-04-19 16:44 ` Hugh Dickins
2009-04-21 16:39 ` Oleg Nesterov
2009-03-30 23:45 ` Serge E. Hallyn
2009-03-31 6:19 ` Al Viro
2009-03-28 23:21 ` [PATCH 3/4] fix setuid sometimes wouldn't Hugh Dickins
2009-03-29 11:19 ` Alexey Dobriyan
2009-03-29 21:48 ` Oleg Nesterov
2009-03-29 22:37 ` Al Viro
2009-03-28 23:23 ` [PATCH 4/4] Annotate struct fs_struct's usage count restriction Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0904010106310.16500@blonde.anvils \
--to=hugh@veritas.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bakerk@metacarta.com \
--cc=chrisw@sous-sol.org \
--cc=dhowells@redhat.com \
--cc=gregkh@suse.de \
--cc=jmalicki@metacarta.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mitz@metacarta.com \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).