From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org
Subject: [RFC] SIGKILL vs. SIGSEGV on late execve() failures
Date: Thu, 14 Feb 2013 05:36:57 +0000 [thread overview]
Message-ID: <20130214053656.GS4503@ZenIV.linux.org.uk> (raw)
If execve() fails past flush_old_exec(), we are obviously going to
kill the process. Right now it's implemented in $BIGNUM places in
->load_binary() and that's obviously brittle (and in at least one case
buggy - binfmt_flat lacks send_sig_info() on late failures). Now, there's
an obvious way to check that we had done successful flush_old_exec() -
bfmt->mm becomes NULL just past the last failure exit there. So it would
be tempting to have these send_sig_info() moved into search_binary_handler(),
especially since we already have
if (retval != -ENOEXEC || bprm->mm == NULL)
break;
in there and turning that into
if (bprm->mm == NULL) {
/* past the point of no return */
suicide
break;
}
if (retval != -ENOEXEC)
break;
would be trivial.
The only problem is that some suicides do SIGKILL, some SIGSEGV.
AFAICS, it started as SIGSEGV and had been switched to SIGKILL for a.out
(without any comments) in 1.1.62. By that time ELF had been there, with
SIGSEGV in the same places. Not replaced with SIGKILL; as the matter of
fact, they are still there. Additional failure exits in case of ELF had
been added with SIGKILL; ELF-FDPIC has copied ELF and FLAT hadn't bothered
with send_sig_info() at all.
Since by that point we have an empty sighandler table, the only
real difference is whether we attempt to produce a coredump on such late
failures. Is there any real reason not to try that? After all, with that
kind of late failure in execve(2) a coredump is obviously something the
caller might want to take a look at...
What was the reason for switch in 1.1.62? It's before my time
and the only exec-related comments I see in 1.1.61->1.1.62 summary are
Don't execute files that are being written to.
If we can't get write access to a core dump file, don't core dump.
Remove redundant test for non-null executables.
No need to release the shared memory by hand, when loading different executable.
neither of which covers that one...
next reply other threads:[~2013-02-14 5:36 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-14 5:36 Al Viro [this message]
2013-02-15 20:02 ` [RFC] SIGKILL vs. SIGSEGV on late execve() failures Linus Torvalds
2013-02-15 21:59 ` Al Viro
2013-02-15 23:12 ` Shentino
2013-02-16 0:04 ` Al Viro
2013-02-16 0:38 ` Maciej W. Rozycki
2013-02-16 0:38 ` Shentino
2013-02-16 0:46 ` Shentino
2013-02-16 1:50 ` Al Viro
2013-02-16 2:20 ` Al Viro
2013-02-16 7:20 ` Raymond Jennings
2013-02-16 7:43 ` Al Viro
2013-02-16 8:13 ` Raymond Jennings
2013-02-16 0:40 ` Linus Torvalds
2013-02-16 1:22 ` Al Viro
2013-02-16 1:44 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130214053656.GS4503@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox