lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 Jan 2009 11:35:22 +0100
From:	Louis Rilling <Louis.Rilling@...labs.com>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Pavel Emelyanov <xemul@...nvz.org>,
	Sukadev Bhattiprolu <sukadev@...ux.vnet.ibm.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/3] pids: refactor vnr/nr_ns helpers to make them safe

Hi Oleg,

On 16/01/09  6:55 +0100, Oleg Nesterov wrote:
> Inho, the safety rules for vnr/nr_ns helpers are horrible and buggy.
> 
> task_pid_nr_ns(task) needs rcu/tasklist depending on task == current.
> 
> As for "special" pids, vnr/nr_ns helpers always need rcu. However,
> if task != current, they are unsafe even under rcu lock, we can't
> trust task->group_leader without the special checks.
> 
> And almost every helper has a callsite which needs a fix.
> 
> Also, it is a bit annoying that the implementations of, say,
> task_pgrp_vnr() and task_pgrp_nr_ns() are not "symmetrical".
> 
> This patch introduces the new helper, __task_pid_nr_ns(), which is
> always safe to use, and turns all other helpers into the trivial
> wrappers.
> 
> If this patch is acceptable, I'll send another one which converts
> task_tgid_xxx() as well, there are a bit special.
> 
> Signed-off-by: Oleg Nesterov <oleg@...hat.com>
> 

[...]

> --- CUR/kernel/pid.c~SP_3_NR	2009-01-16 02:54:26.000000000 +0100
> +++ CUR/kernel/pid.c	2009-01-16 05:40:43.000000000 +0100
> @@ -452,11 +452,24 @@ pid_t pid_vnr(struct pid *pid)
>  }
>  EXPORT_SYMBOL_GPL(pid_vnr);
>  
> -pid_t task_pid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)
> +pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
> +			struct pid_namespace *ns)
>  {
> -	return pid_nr_ns(task_pid(tsk), ns);
> +	pid_t nr = 0;
> +
> +	rcu_read_lock();
> +	if (!ns)
> +		ns = current->nsproxy->pid_ns;
> +	if (likely(pid_alive(task))) {

I don't see what this pid_alive() check buys you. Since tasklist_lock is not
enforced, nothing prevents another CPU from detaching the pid right after the
check.

I'm also a bit puzzled by your description with using tasklist_lock when task !=
current, and not seeing tasklist_lock anywhere in the patch. Does this mean that
"safe" is for "no access to freed memory is done, but caller has to take
tasklist_lock or may get 0 as return value"?

Thanks,

Louis

> +		if (type != PIDTYPE_PID)
> +			task = task->group_leader;
> +		nr = pid_nr_ns(task->pids[type].pid, ns);
> +	}
> +	rcu_read_unlock();
> +
> +	return nr;
>  }
> -EXPORT_SYMBOL(task_pid_nr_ns);
> +EXPORT_SYMBOL(__task_pid_nr_ns);
>  
>  pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)
>  {

[...]

-- 
Dr Louis Rilling			Kerlabs
Skype: louis.rilling			Batiment Germanium
Phone: (+33|0) 6 80 89 08 23		80 avenue des Buttes de Coesmes
http://www.kerlabs.com/			35700 Rennes

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ