Re: [PATCH 3/3] seccomp: introduce read protection for struct seccomp

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Tycho Andersen <tycho@tycho.ws>
To: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH 3/3] seccomp: introduce read protection for struct seccomp
Date: Fri, 28 Sep 2018 15:35:57 -0600	[thread overview]
Message-ID: <20180928213557.GD18045@cisco.lan> (raw)
In-Reply-To: <CAG48ez1CpPmk6BFOztA-=w1U-pvaNBXou6JpcfMKx_ELGSwDVA@mail.gmail.com>

On Fri, Sep 28, 2018 at 11:10:48PM +0200, Jann Horn wrote:
> On Fri, Sep 28, 2018 at 10:56 PM Tycho Andersen <tycho@tycho.ws> wrote:
> >
> > On Fri, Sep 28, 2018 at 10:33:34PM +0200, Jann Horn wrote:
> > > On Fri, Sep 28, 2018 at 5:47 PM Tycho Andersen <tycho@tycho.ws> wrote:
> > > > As Jann pointed out, there is a race between SECCOMP_FILTER_FLAG_TSYNC and
> > > > the ptrace code that can inspect a filter of another process. Let's
> > > > introduce read locking into the two ptrace accesses so that we don't race.
> > >
> > > Hmm. Is that true? The ptrace code uses get_nth_filter(), which holds
> > > the siglock while grabbing the seccomp filter and bumping its
> > > refcount. And TSYNC happens from seccomp_set_mode_filter(), which
> > > takes the siglock. So this looks okay to me?
> >
> > Oh, yes, you're right. So I guess we should just change the comment to
> > say we're using siglock to represent the read lock.
> 
> Hmm... actually, looking at this closer, I think you only need the
> siglock for writing. As far as I can tell, any read (no matter if
> current or non-current) can just use READ_ONCE(), because once a
> seccomp filter is in a task's seccomp filter chain, it can't be freed
> until the task reaches free_task() and calls put_seccomp_filter() from
> there. And if the task whose seccomp filter you're trying to read can
> reach free_task(), you have bigger problems.

Ok; looks like get_nth_filter() took the siglock anyway. Since we get
the filters in these two functions in get_nth_filter(), I think it's
enough just to just,

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index f65d47650ac1..79d833ed4c34 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1001,7 +1001,7 @@ static struct seccomp_filter *get_nth_filter(struct task_struct *task,
 		return ERR_PTR(-EINVAL);
 	}
 
-	orig = task->seccomp.filter;
+	orig = READ_ONCE(task->seccomp.filter);
 	__get_seccomp_filter(orig);
 	spin_unlock_irq(&task->sighand->siglock);
 

since once it's returned from get_nth_filter() we don't need to worry
about multiple accesses?

Tycho

next prev parent reply	other threads:[~2018-09-28 21:36 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-28 15:46 [PATCH 1/3] seccomp: change return type of seccomp_get_metadata to int Tycho Andersen
2018-09-28 15:46 ` [PATCH 2/3] seccomp: change return type of seccomp_get_filter " Tycho Andersen
2018-09-28 15:46 ` [PATCH 3/3] seccomp: introduce read protection for struct seccomp Tycho Andersen
2018-09-28 20:33   ` Jann Horn
2018-09-28 20:56     ` Tycho Andersen
2018-09-28 21:10       ` Jann Horn
2018-09-28 21:35         ` Tycho Andersen [this message]
2018-09-28 21:54           ` Jann Horn
2018-09-28 22:02             ` Tycho Andersen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f65d47650ac dfblob:79d833ed4c3 )
 OR (
bs:"Re: [PATCH 3/3] seccomp: introduce read protection for struct seccomp" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180928213557.GD18045@cisco.lan \
    --to=tycho@tycho.ws \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox