From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Andrew Morton <akpm@linux-foundation.org>,
Ben Hutchings <ben.hutchings@codethink.co.uk>,
James Morris <james.l.morris@oracle.com>,
Andy Lutomirski <luto@kernel.org>,
Oleg Nesterov <oleg@redhat.com>, Jiri Slaby <jslaby@suse.cz>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] exec: Avoid RLIMIT_STACK races with prlimit()
Date: Wed, 29 Nov 2017 14:09:08 -0600 [thread overview]
Message-ID: <20171129200908.GA17660@mail.hallyn.com> (raw)
In-Reply-To: <CAGXu5jLqmU3AoGNZGniW+dtZ3TCMhJFw6QWEm2Yg1HO39n1GNw@mail.gmail.com>
Quoting Kees Cook (keescook@chromium.org):
> On Wed, Nov 29, 2017 at 10:20 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > Quoting Kees Cook (keescook@chromium.org):
> >> While the defense-in-depth RLIMIT_STACK limit on setuid processes was
> >> protected against races from other threads calling setrlimit(), I missed
> >> protecting it against races from external processes calling prlimit().
> >> This adds locking around the change and makes sure that rlim_max is set
> >> too.
> >>
> >> Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> >> Reported-by: Brad Spengler <spender@grsecurity.net>
> >> Fixes: 64701dee4178e ("exec: Use sane stack rlimit under secureexec")
> >> Cc: stable@vger.kernel.org
> >> Cc: James Morris <james.l.morris@oracle.com>
> >> Cc: Serge Hallyn <serge@hallyn.com>
> >
> > Acked-by: Serge Hallyn <serge@hallyn.com>
>
> Thanks!
>
> >
> > The only thing i'm wondering is in do_prlimit():
> >
> > . 1480 if (new_rlim) {
> > . 1481 if (new_rlim->rlim_cur > new_rlim->rlim_max)
> > . 1482 return -EINVAL;
> >
> > that bit is done not under the lock. Does that still allow a
> > race, if this check is done before the below block, and then the
> > rest proceeds after?
> >
> > I *think* not, because later in do_prlimit() it will return -EPERM if
> >
> > . 1500 if (new_rlim->rlim_max > rlim->rlim_max &&
> > . 1501 !capable(CAP_SYS_RESOURCE))
> >
> > Although rlim is gathered before the lock, but that is a struct *
> > so should be ok?
>
> I stared at this for a while too. I think it's okay because the max is
> checked under the lock, so the max can't be raced to be raised. The
> cur value could get raced, though, but I don't think that's a problem,
> since it's the "soft" limit.
Oh, right, and so if soft > hard that will just end up ignored... ok.
prev parent reply other threads:[~2017-11-29 20:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 19:34 [PATCH] exec: Avoid RLIMIT_STACK races with prlimit() Kees Cook
2017-11-29 18:20 ` Serge E. Hallyn
2017-11-29 18:27 ` Kees Cook
2017-11-29 20:09 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171129200908.GA17660@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=akpm@linux-foundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=james.l.morris@oracle.com \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox