[PATCH 2.6.29.6 - 2.6.35-rc3] CRED: Release spinlock before commit_creds().

[PATCH 2.6.29.6 - 2.6.35-rc3] CRED: Release spinlock before commit_creds().

[Tetsuo Handa]

reparent_to_kthreadd() is calling commit_creds() with tasklist_lock held. But
commit_creds() calls key_fsuid_changed()/key_fsgid_changed()/proc_id_connector()
which may sleep. Release tasklist_lock before calling commit_creds().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 kernel/exit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- security-testing-2.6.orig/kernel/exit.c
+++ security-testing-2.6/kernel/exit.c
@@ -348,8 +348,8 @@ static void reparent_to_kthreadd(void)
 	       sizeof(current->signal->rlim));
 
 	atomic_inc(&init_cred.usage);
-	commit_creds(&init_cred);
 	write_unlock_irq(&tasklist_lock);
+	commit_creds(&init_cred);
 }
 
 void __set_special_pids(struct pid *pid)

Re: [PATCH 2.6.29.6 - 2.6.35-rc3] CRED: Release spinlock before commit_creds().

[Serge E. Hallyn]

Quoting Tetsuo Handa (penguin-kernel@I-love.SAKURA.ne.jp):
> reparent_to_kthreadd() is calling commit_creds() with tasklist_lock held. But
> commit_creds() calls key_fsuid_changed()/key_fsgid_changed()/proc_id_connector()
> which may sleep. Release tasklist_lock before calling commit_creds().
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

The reparenting is done in current context, so current_cred can't go
away, and init_cred can't go away.  And I can't think of anything
nefarious anyone could do to the task on account of the previous
credentials (as a result of the reparenting) before commit_creds()
completes.  So it looks good to me, but David might know of a reason
why it isn't...  Anyway:

Acked-by: Serge E. Hallyn <serge@hallyn.com>

> ---
>  kernel/exit.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- security-testing-2.6.orig/kernel/exit.c
> +++ security-testing-2.6/kernel/exit.c
> @@ -348,8 +348,8 @@ static void reparent_to_kthreadd(void)
>  	       sizeof(current->signal->rlim));
>  
>  	atomic_inc(&init_cred.usage);
> -	commit_creds(&init_cred);
>  	write_unlock_irq(&tasklist_lock);
> +	commit_creds(&init_cred);
>  }
>  
>  void __set_special_pids(struct pid *pid)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 2.6.29.6 - 2.6.35-rc3] CRED: Release spinlock before commit_creds().

[David Howells]

Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote:

> reparent_to_kthreadd() is calling commit_creds() with tasklist_lock held.
> But commit_creds() calls
> key_fsuid_changed()/key_fsgid_changed()/proc_id_connector() which may sleep.
> Release tasklist_lock before calling commit_creds().

Hmmm...  Does this change leave a hole in which the thread can be accessed as
it's not locked away, but still has the old credentials?

I wonder if we should have an internal CLONE_KTHREAD flag to achieve this in
do_fork() rather than daemonize()'ing the thread later.

Also, key_fsuid_changed() and key_fsgid_changed() should be skipped in
commit_creds() if the thread-keyring pointer in the new creds is not the same
as that in the old creds (as will be the case if we're shifting to init_cred),
so they shouldn't really be a problem.

However, I can't see an easy way around proc_id_connector() sleeping - unless
we just don't call it if new == &init_cred in commit_creds().

I suppose it also leaves a hole if we call commit_creds() first, before
getting the write_lock()... :-/

David