From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B55B8C433F5 for ; Wed, 5 Oct 2022 16:09:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E91126B0072; Wed, 5 Oct 2022 12:09:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E41146B0073; Wed, 5 Oct 2022 12:09:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CE16D6B0074; Wed, 5 Oct 2022 12:09:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id B958C6B0072 for ; Wed, 5 Oct 2022 12:09:53 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 7FC4080619 for ; Wed, 5 Oct 2022 16:09:53 +0000 (UTC) X-FDA: 79987381866.15.18554B1 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by imf10.hostedemail.com (Postfix) with ESMTP id A24FEC000D for ; Wed, 5 Oct 2022 16:09:52 +0000 (UTC) Received: from mail-oi1-f199.google.com (mail-oi1-f199.google.com [209.85.167.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5959840795 for ; Wed, 5 Oct 2022 16:09:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1664986189; bh=PhK3UR0JyIjrSTsOR0Bx6DOtf6gXMKKOB8Sonx5tiz4=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=F1pwPu7XwEiFhg6lmqCtUHdtX3oVopa72Y0iTkfP0MaZ8/uVfImfWQFLcfn5Q3Cd3 IdfDPhU5ltIOgvL8wY0u0V2ZOH638AIOcD+8WzkNHAVpaHSQJ72SgfiMpjKnps6iEa Eb7DPz6cN9hL3c4Mc5XJtCXNXLP4RhM8/SNckmzDNnMDxvYtoYxthZ5/FFHphcC76M uR+jGL/XAC/sN2EMS3rinXY5qQAs8ghb1rDnz7wBjSnJY2GHhhs7jTxz4AcijWwZ8J cT9y5UJj3R9HBz5x8e5qYBVE0zFqAPsxS4DgeMA4MdGNxorafGQcJAnNwJgQBBoImf W7rrkCd2PqV3A== Received: by mail-oi1-f199.google.com with SMTP id t37-20020a05680815a500b0034fdd9124d9so7097656oiw.3 for ; Wed, 05 Oct 2022 09:09:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=PhK3UR0JyIjrSTsOR0Bx6DOtf6gXMKKOB8Sonx5tiz4=; b=ox/EwzUw8vwAp0thJ2EXyHB9IKCdgtnwQENECj/noXU17hSNG/heyTIBB1Rg0cfk01 wAvIqV+gVEkeaDCV6XWKR35kbJzHgjEAPg50BoCTF3fq65vg5o/MFGQbEDaSJbQ2R+ed RMcVM2Lx5n3/VLK5Jpht0RF3J+xorHOJcEfuZsm15n5cq2UL/KBrv01m7waYLv6dDxfS UWn1fBhNLLIoXpOCorY7MbnL7wpV38nudeSHIeIYOnT8ASiVlSgHlkD/or2y4BkK+fjX 9UhCQ9RjMbnt995pXICIwmppJF58H9YSakMNZXmrYSQmzFrr46x2mzqq3vkcZMta1Wu/ Md7g== X-Gm-Message-State: ACrzQf0X0UTlKINzjSogZRu8OrTL/3FTUwQjZze7TaHxzE/StqqH81BN dUKd92yjkQWg67Y+TpW/1beN2qLL3hk0p9QwjnQ5CnMzdQPk7t6VIKHsojb+kWjaq3gilVx9i/3 NJzWXOFiIufw8r4O+4SLCHoywxORd X-Received: by 2002:a05:6808:1294:b0:350:cdc5:894d with SMTP id a20-20020a056808129400b00350cdc5894dmr253447oiw.276.1664986188322; Wed, 05 Oct 2022 09:09:48 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5MMtPrl9VEi5ZyUWupTz5cDWAGQ1Rk91r1Y7Dr1gY3o6ldI48HygppwdflsAJr2bj7WCgsPA== X-Received: by 2002:a05:6808:1294:b0:350:cdc5:894d with SMTP id a20-20020a056808129400b00350cdc5894dmr253430oiw.276.1664986188087; Wed, 05 Oct 2022 09:09:48 -0700 (PDT) Received: from ?IPV6:2001:67c:1562:8007::aac:4084? ([2001:67c:1562:8007::aac:4084]) by smtp.gmail.com with ESMTPSA id p6-20020a544606000000b00342ece494ffsm4421468oip.46.2022.10.05.09.09.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 05 Oct 2022 09:09:47 -0700 (PDT) Message-ID: Date: Wed, 5 Oct 2022 13:09:36 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: [PATCH] Fix race condition when exec'ing setuid files Content-Language: es-UY, en-US To: Kees Cook Cc: Alexander Viro , Eric Biederman , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Valentin Schneider , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20220910211215.140270-1-jorge.merlino@canonical.com> <202209131456.76A13BC5E4@keescook> From: Jorge Merlino In-Reply-To: <202209131456.76A13BC5E4@keescook> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1664986193; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PhK3UR0JyIjrSTsOR0Bx6DOtf6gXMKKOB8Sonx5tiz4=; b=ASkWRnVGKaqD3tFzzwJ+cBE8PYjMU2Zg8zr6KzGjgzZAI44wXwA92cRZhm7t153v4nqv0u wW4RZeZOxNzdM8T+j22nN60KU1CcpRl1tngkc1A9TTGmIVID8PoJhufuPJItzytZ0hs0AQ xk9Ges5hBooUNTzhYqb3Fp86qYLfVoY= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=canonical.com header.s=20210705 header.b=F1pwPu7X; spf=pass (imf10.hostedemail.com: domain of jorge.merlino@canonical.com designates 185.125.188.122 as permitted sender) smtp.mailfrom=jorge.merlino@canonical.com; dmarc=pass (policy=none) header.from=canonical.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664986193; a=rsa-sha256; cv=none; b=p4hW3TZGNkW9cReriNjz2bWjgqk8/zLjyLOTffEGpe739mUNzKUebzmMMqGPQotPJASQ/d wXreTVsIAM/CMawo6ToR4WVeXejOy5fV7gBuXUN7+6LLkdd3kJGs/7npdQyrthSS0haMrV 8cJgiJfnwGr8d50KiQWjGmWubCYhV5Y= X-Rspamd-Queue-Id: A24FEC000D Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=canonical.com header.s=20210705 header.b=F1pwPu7X; spf=pass (imf10.hostedemail.com: domain of jorge.merlino@canonical.com designates 185.125.188.122 as permitted sender) smtp.mailfrom=jorge.merlino@canonical.com; dmarc=pass (policy=none) header.from=canonical.com X-Rspamd-Server: rspam06 X-Rspam-User: X-Stat-Signature: x5gpssxpzc8nk3sq1u1rx743g7qszu4k X-HE-Tag: 1664986192-646463 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 13/9/22 19:03, Kees Cook wrote: > I'll want to spend some more time studying this race, but yes, it looks > like it should get fixed. I'm curious, though, how did you find this > problem? It seems quite unusual to have a high-load heavily threaded > process decide to exec. I just got a response from our customer regarding the situation where this race condition occurs: Our application is a Rust-based CLI tool that acts as a frontend to cloud-based testing infrastructure. In one mode of operation it uploads a large number of test artifacts to cloud storage, spawns compute instances, and then starts a VPN connection to those instances. The application creates the VPN connection by executing another setuid-root tool as a subprocess. We see that this subprocess sometimes fails to setuid. The "high-load heavily threaded" aspect comes from the fact that we're using the Tokio runtime. Each upload to cloud storage is a separate Tokio task (i.e. "green thread") and these are scheduled onto "N" OS-level threads, where N = nproc. In a large run we may upload a couple thousand artifacts but limit to 50 concurrent uploads. Once these artifact uploads complete, we typically spawn the setuid subprocess within 1-2 seconds. Have you been able to look at this issue? Thanks Jorge