From: Tycho Andersen <tycho@docker.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Chris Salls <chrissalls5@gmail.com>,
Kees Cook <keescook@chromium.org>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>,
security@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
Date: Wed, 20 Sep 2017 07:37:26 -0600 [thread overview]
Message-ID: <20170920133726.dwqkovxcf34ot4vl@docker> (raw)
In-Reply-To: <20170920130443.GA4445@redhat.com>
On Wed, Sep 20, 2017 at 03:04:43PM +0200, Oleg Nesterov wrote:
> On 09/20, Oleg Nesterov wrote:
> >
> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
> > if (!data)
> > goto out;
> >
> > - get_seccomp_filter(task);
> > + refcount_inc(&filter->usage);
> > spin_unlock_irq(&task->sighand->siglock);
> >
> > if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
> > ret = -EFAULT;
> >
> > - put_seccomp_filter(task);
> > + __put_seccomp_filter(filter);
>
> This is the simple fix for -stable, but again, can't we simplify this
> code? Afaics we can do get_seccomp_filter() at the start and drop siglock
> right after that.
>
> Something like the untested patch (on top of this one) below?
Yes, this looks good to me, thanks.
> And I can't understand the SECCOMP_MODE_DISABLED check... shouldn't we
> simply remove it?
I think the idea was to prevent some interaction between
seccomp+ptrace+fork that we didn't understand. Since the user of this
code doesn't have seccomp filters attached, it was fine.
Thanks for cleaning this up, I'll be happy to test whatever final
patch we come up with.
Tycho
> Oleg.
>
>
> --- x/kernel/seccomp.c
> +++ x/kernel/seccomp.c
> @@ -858,45 +858,36 @@ long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
> long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
> void __user *data)
> {
> - struct seccomp_filter *filter;
> + struct seccomp_filter *orig, *filter;
> struct sock_fprog_kern *fprog;
> + unsigned long count;
> long ret;
> - unsigned long count = 0;
>
> if (!capable(CAP_SYS_ADMIN) ||
> current->seccomp.mode != SECCOMP_MODE_DISABLED) {
> return -EACCES;
> }
>
> + if (task->seccomp.mode != SECCOMP_MODE_FILTER)
> + return -EINVAL;
> +
> spin_lock_irq(&task->sighand->siglock);
> - if (task->seccomp.mode != SECCOMP_MODE_FILTER) {
> - ret = -EINVAL;
> - goto out;
> - }
> + get_seccomp_filter(task);
> + orig = task->seccomp.filter;
> + spin_unlock_irq(&task->sighand->siglock);
>
> - filter = task->seccomp.filter;
> - while (filter) {
> - filter = filter->prev;
> + count = 0;
> + for (filter = orig; filter; filter = filter->prev)
> count++;
> - }
>
> if (filter_off >= count) {
> ret = -ENOENT;
> goto out;
> }
> - count -= filter_off;
>
> - filter = task->seccomp.filter;
> - while (filter && count > 1) {
> - filter = filter->prev;
> + count -= filter_off;
> + for (filter = orig; count > 1; filter = filter->prev)
> count--;
> - }
> -
> - if (WARN_ON(count != 1 || !filter)) {
> - /* The filter tree shouldn't shrink while we're using it. */
> - ret = -ENOENT;
> - goto out;
> - }
>
> fprog = filter->prog->orig_prog;
> if (!fprog) {
> @@ -912,17 +903,11 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
> if (!data)
> goto out;
>
> - refcount_inc(&filter->usage);
> - spin_unlock_irq(&task->sighand->siglock);
> -
> if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
> ret = -EFAULT;
>
> - __put_seccomp_filter(filter);
> - return ret;
> -
> out:
> - spin_unlock_irq(&task->sighand->siglock);
> + __put_seccomp_filter(orig);
> return ret;
> }
> #endif
>
next prev parent reply other threads:[~2017-09-20 13:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAN-hQdds6zkYaGRJTrS5KOorvopoYnP4vBEfoKntS_8y4884Aw@mail.gmail.com>
2017-09-20 12:56 ` [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Oleg Nesterov
2017-09-20 13:04 ` Oleg Nesterov
2017-09-20 13:37 ` Tycho Andersen [this message]
2017-09-20 15:59 ` introduce get_nth_filter() Oleg Nesterov
2017-09-20 16:14 ` Oleg Nesterov
2017-09-20 18:40 ` [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Kees Cook
2017-09-21 11:31 ` Oleg Nesterov
2017-09-20 13:26 ` Tycho Andersen
2017-09-20 18:36 ` Kees Cook
2017-09-21 10:57 ` Oleg Nesterov
2017-09-21 19:51 ` Kees Cook
2017-09-22 15:22 ` Oleg Nesterov
2017-09-22 15:25 ` Tycho Andersen
2017-09-26 20:15 ` Tycho Andersen
2017-09-27 6:07 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170920133726.dwqkovxcf34ot4vl@docker \
--to=tycho@docker.com \
--cc=chrissalls5@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=security@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox