From: Stephen Wilson <wilsons@start.ca>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Stephen Wilson <wilsons@start.ca>,
Al Viro <viro@zeniv.linux.org.uk>,
Johannes Weiner <jweiner@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: Q: proc: hold cred_guard_mutex in check_mem_permission()
Date: Thu, 29 Sep 2011 03:13:14 -0400 [thread overview]
Message-ID: <20110929071314.GA7734@wicker.gateway.2wire.net> (raw)
In-Reply-To: <20110928202020.GA3164@redhat.com>
On Wed, Sep 28, 2011 at 10:20:20PM +0200, Oleg Nesterov wrote:
> Another change we probably need to backport, 18f661bc
> "proc: hold cred_guard_mutex in check_mem_permission()".
>
> From the changelog:
>
> Avoid a potential race when task exec's and we get a new ->mm but
> check against the old credentials in ptrace_may_access().
>
> Could you please explain? How can we race with exec?
My understanding of the race is this:
sequence during execve():
1) cred_guard_mutex is taken in prepare_bprm_creds()
2) new mm is installed via exec_mmap()
3) new creds are pushed via install_exec_creds() which releases
cred_guard_mutex
so if we get_task_mm() and ptrace_may_access() between 2 and 3 we
obtain a reference to the new mm validated against old creds.
Perhaps (the fairly old) commit 704b836c helps?
> This task is either current, or it is TASK_TRACED and we are the
> tracer. In the latter case nobody can resume it except SIGKILL.
> And the killed task obviously can't exec.
>
> Afaics, all we need is: we should read task->mm after the
> task_is_traced() check, we do not need the mutex.
Checking ptrace_parent() against current was introduced in 0d094efeb, but the
commit message gives no clue as to why the check was added. It does seem to
go against the comment "would also be permitted to freshly attach with
ptrace". Not sure what to think ATM..
> IOW, what do you think about the patch below? I have no idea how
> can I test it (and it wasn't even applied/compiled).
>
> Also, I'd appreciate if you can explain the PTRACE_MODE_ATTACH
> check. Again, we are already the tracer.
If we are the tracer then that ptrace_may_access() check is redundant and the
whole race thing is a non-issue, right? But perhaps the correct move is to
relax the restriction that current be the tracer. I might be overlooking
something though.
Thanks,
--
steve
next prev parent reply other threads:[~2011-09-29 7:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-28 20:20 Q: proc: hold cred_guard_mutex in check_mem_permission() Oleg Nesterov
2011-09-29 7:13 ` Stephen Wilson [this message]
2011-09-29 11:48 ` Oleg Nesterov
2011-09-30 1:05 ` Stephen Wilson
2011-09-30 14:02 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110929071314.GA7734@wicker.gateway.2wire.net \
--to=wilsons@start.ca \
--cc=jweiner@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox