From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752493AbdK2UJK (ORCPT <rfc822;w@1wt.eu>);
        Wed, 29 Nov 2017 15:09:10 -0500
Received: from h2.hallyn.com ([78.46.35.8]:48156 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752014AbdK2UJJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 15:09:09 -0500
Date: Wed, 29 Nov 2017 14:09:08 -0600
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Ben Hutchings <ben.hutchings@codethink.co.uk>,
        James Morris <james.l.morris@oracle.com>,
        Andy Lutomirski <luto@kernel.org>, Oleg Nesterov <oleg@redhat.com>,
        Jiri Slaby <jslaby@suse.cz>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] exec: Avoid RLIMIT_STACK races with prlimit()
Message-ID: <20171129200908.GA17660@mail.hallyn.com>
References: <20171127193457.GA11348@beast>
 <20171129182004.GF14545@mail.hallyn.com>
 <CAGXu5jLqmU3AoGNZGniW+dtZ3TCMhJFw6QWEm2Yg1HO39n1GNw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jLqmU3AoGNZGniW+dtZ3TCMhJFw6QWEm2Yg1HO39n1GNw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Kees Cook (keescook@chromium.org):
> On Wed, Nov 29, 2017 at 10:20 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > Quoting Kees Cook (keescook@chromium.org):
> >> While the defense-in-depth RLIMIT_STACK limit on setuid processes was
> >> protected against races from other threads calling setrlimit(), I missed
> >> protecting it against races from external processes calling prlimit().
> >> This adds locking around the change and makes sure that rlim_max is set
> >> too.
> >>
> >> Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> >> Reported-by: Brad Spengler <spender@grsecurity.net>
> >> Fixes: 64701dee4178e ("exec: Use sane stack rlimit under secureexec")
> >> Cc: stable@vger.kernel.org
> >> Cc: James Morris <james.l.morris@oracle.com>
> >> Cc: Serge Hallyn <serge@hallyn.com>
> >
> > Acked-by: Serge Hallyn <serge@hallyn.com>
> 
> Thanks!
> 
> >
> > The only thing i'm wondering is in do_prlimit():
> >
> > . 1480         if (new_rlim) {
> > . 1481                 if (new_rlim->rlim_cur > new_rlim->rlim_max)
> > . 1482                         return -EINVAL;
> >
> > that bit is done not under the lock.  Does that still allow a
> > race, if this check is done before the below block, and then the
> > rest proceeds after?
> >
> > I *think* not, because later in do_prlimit() it will return -EPERM if
> >
> > . 1500                 if (new_rlim->rlim_max > rlim->rlim_max &&
> > . 1501                                 !capable(CAP_SYS_RESOURCE))
> >
> > Although rlim is gathered before the lock, but that is a struct *
> > so should be ok?
> 
> I stared at this for a while too. I think it's okay because the max is
> checked under the lock, so the max can't be raced to be raised. The
> cur value could get raced, though, but I don't think that's a problem,
> since it's the "soft" limit.

Oh, right, and so if soft > hard that will just end up ignored...  ok.