From: Oleg Nesterov <oleg@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Mika Penttilä" <mika.penttila@nextfour.com>,
"Aleksa Sarai" <asarai@suse.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Attila Fazekas" <afazekas@redhat.com>,
"Jann Horn" <jann@thejh.net>, "Kees Cook" <keescook@chromium.org>,
"Michal Hocko" <mhocko@kernel.org>,
"Ulrich Obergfell" <uobergfe@redhat.com>,
linux-kernel@vger.kernel.org,
"David Howells" <dhowells@redhat.com>
Subject: Re: [PATCH V2 1/2] exec: don't wait for zombie threads with cred_guard_mutex held
Date: Mon, 20 Feb 2017 16:50:06 +0100 [thread overview]
Message-ID: <20170220155005.GA15036@redhat.com> (raw)
In-Reply-To: <87k28po2ce.fsf@xmission.com>
On 02/17, Eric W. Biederman wrote:
>
> Oleg Nesterov <oleg@redhat.com> writes:
>
> > de_thread() waits for other threads with ->cred_guard_mutex held and this
> > is really bad because the time is not bounded, debugger can delay the exit
> > and this lock has a lot of users (mostly abusers imo) in fs/proc and more.
> > And this leads to deadlock if debugger tries to take the same mutex:
>
> Oleg. I looked at the history in proc of users of cred_guard_mutex
> and the proc users are grabbing cred_guard_mutex for the proper
> semantic reasons. To avoid races with setuid exec that could result in
> an information disclosure.
This is clear. However I really think it is over-used. For example, I do
think that lock_trace() should die.
OK, of course I can be wrong. And in any case this is almost off-topic
right now, lets discuss this separately.
> On that score I believe we can incrementally approach that point and
> only grab the cred_guard_mutex in exec if we are performing an exec that
> changes the processes credentials.
May be... but afaics this is more complicated because of LSM hooks.
To me one the main problems is that lsm hook can fail if the task is
traced, that is why we can't simply take cred_guard_mutex and check
->ptrace after de_thread(). But again, lets discuss this later.
> Right now I don't think it introduces any new security information
> disclosures but the moving of flush_signal_handlers outside of
> cred_guard_mutex feels wrong.
Why?
Just in case, we can do flush_signal_handlers() only after we unshare
->sighand, that is why it was moved outside of cred_guard_mutex.
But why this is bad? collect_sigign_sigcatch() is called without this
mutex, who else can look at sa.sa_handler?
Oleg.
next prev parent reply other threads:[~2017-02-20 15:51 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 14:14 [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-02-13 14:15 ` [PATCH 1/2] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov
2017-02-13 16:12 ` kbuild test robot
2017-02-13 16:47 ` Oleg Nesterov
2017-02-13 16:39 ` kbuild test robot
2017-02-13 17:27 ` Mika Penttilä
2017-02-13 18:01 ` Oleg Nesterov
2017-02-13 18:04 ` [PATCH V2 " Oleg Nesterov
2017-02-16 11:42 ` Eric W. Biederman
2017-02-20 15:22 ` Oleg Nesterov
2017-02-20 15:36 ` Oleg Nesterov
2017-02-20 22:30 ` Eric W. Biederman
2017-02-21 17:53 ` Oleg Nesterov
2017-02-21 20:20 ` Eric W. Biederman
2017-02-22 17:41 ` Oleg Nesterov
2017-02-17 4:42 ` Eric W. Biederman
2017-02-20 15:50 ` Oleg Nesterov [this message]
2017-02-13 14:15 ` [PATCH 2/2] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov
2017-02-24 16:03 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-03-03 1:05 ` Eric W. Biederman
2017-03-03 17:33 ` Oleg Nesterov
2017-03-03 18:23 ` Eric W. Biederman
2017-03-03 18:59 ` Eric W. Biederman
2017-03-03 20:06 ` Eric W. Biederman
2017-03-03 20:11 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Eric W. Biederman
2017-03-04 17:03 ` Oleg Nesterov
2017-03-30 8:07 ` Eric W. Biederman
2017-04-01 5:11 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Eric W. Biederman
2017-04-01 5:14 ` [RFC][PATCH 1/2] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-01 5:16 ` [RFC][PATCH 2/2] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-02 15:35 ` Oleg Nesterov
2017-04-02 18:53 ` Eric W. Biederman
2017-04-03 18:12 ` Oleg Nesterov
2017-04-03 21:04 ` Eric W. Biederman
2017-04-05 16:44 ` Oleg Nesterov
2017-04-02 15:38 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Oleg Nesterov
2017-04-02 22:50 ` [RFC][PATCH v2 0/5] " Eric W. Biederman
2017-04-02 22:51 ` [RFC][PATCH v2 1/5] ptrace: Don't wait in PTRACE_O_TRACEEXIT for exec or coredump Eric W. Biederman
2017-04-05 16:19 ` Oleg Nesterov
2017-04-02 22:51 ` [RFC][PATCH v2 2/5] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-02 22:52 ` [RFC][PATCH v2 3/5] clone: Disallown CLONE_THREAD with a shared sighand_struct Eric W. Biederman
2017-04-05 16:24 ` Oleg Nesterov
2017-04-05 17:34 ` Eric W. Biederman
2017-04-05 18:11 ` Oleg Nesterov
2017-04-02 22:53 ` [RFC][PATCH v2 4/5] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-05 16:15 ` Oleg Nesterov
2017-04-02 22:57 ` [RFC][PATCH v2 5/5] signal: Don't allow accessing signal_struct by old threads after exec Eric W. Biederman
2017-04-05 16:18 ` Oleg Nesterov
2017-04-05 18:16 ` Eric W. Biederman
2017-04-06 15:48 ` Oleg Nesterov
2017-04-02 16:15 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Oleg Nesterov
2017-04-02 21:07 ` Eric W. Biederman
2017-04-03 18:37 ` Oleg Nesterov
2017-04-03 22:49 ` Eric W. Biederman
2017-04-03 22:49 ` scope of cred_guard_mutex Eric W. Biederman
2017-04-05 16:08 ` Oleg Nesterov
2017-04-05 16:11 ` Kees Cook
2017-04-05 17:53 ` Eric W. Biederman
2017-04-05 18:15 ` Oleg Nesterov
2017-04-06 15:55 ` Oleg Nesterov
2017-04-07 22:07 ` Kees Cook
2017-09-04 3:19 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Robert O'Callahan
2017-03-04 16:54 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170220155005.GA15036@redhat.com \
--to=oleg@redhat.com \
--cc=afazekas@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=asarai@suse.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhocko@kernel.org \
--cc=mika.penttila@nextfour.com \
--cc=uobergfe@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).