lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 31 Mar 2012 17:55:20 +0400
From:	Vasiliy Kulikov <segoon@...nwall.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Valdis.Kletnieks@...edu,
	Arkadiusz Miƛkiewicz <a.miskiewicz@...il.com>,
	linux-kernel@...r.kernel.org, Alexey Dobriyan <adobriyan@...il.com>
Subject: [PATCH] proc: reset mount options after the last procfs umount

On Mon, Mar 26, 2012 at 15:37 -0700, Andrew Morton wrote:
> On Sun, 25 Mar 2012 18:23:16 -0400
> Valdis.Kletnieks@...edu wrote:
> 
> > Yes, it may be what the code actually *does*, but it certainly violates
> > the Principle of Least Surprise...
> 
> It surprises me ;)  I never noticed that before.
> 
> It does seem pretty insane.  I wonder how much downstream damage would
> result from fixing it.

Resetting options on each mount is implemented in the following patch.
However, I'm stuck with searching a race-free way to learn current
mounts count of this procfs sb.  sget() + atomic_read() is racy:

	(A)				(B)
	mount -t proc			mount -t proc

	sget()				|
	|				sget()
	atomic_read(&sb->s_active)	|
	|				atomic_read(&sb->s_active)

So, it has a theoretical race of reading sb->s_active with 2+ parallel
mounts and both reads will get 3 instead of 2.  Consequently, neither of
mounts will reset mount options.

I wonder whether anybody will try to do such parallel type of things
in reality (IOW, is it OK to leave this race?)

--------------
From: Vasiliy Kulikov <segoon@...nwall.com>
Subject: [PATCH] proc: reset mount options after the last procfs umount

The following command sequence leads to wrong mount options setting:

  mount -t proc -o hidepid=1 none /proc
  umount /proc
  mount -t proc none /proc

The second "mount" mounts procfs with old options from the first "mount",
but should use no options.

Fix that by resetting mount options in pid_namespace each time procfs
is mounted in a pid namespace without other procfs mount points.

Note that if one creates second procfs mount point, it should use old
mount options (IOW, reuse first mount point's options).

Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>

--
 fs/proc/root.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

---
diff --git a/fs/proc/root.c b/fs/proc/root.c
index eed44bf..7067a5c 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -47,6 +47,12 @@ static const match_table_t tokens = {
 	{Opt_err, NULL},
 };
 
+static void proc_reset_options(struct pid_namespace *pid)
+{
+	pid->pid_gid = 0;
+	pid->hide_pid = 0;
+}
+
 static int proc_parse_options(char *options, struct pid_namespace *pid)
 {
 	char *p;
@@ -115,6 +121,9 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
 	if (IS_ERR(sb))
 		return ERR_CAST(sb);
 
+	if (atomic_read(&sb->s_active) <= 2)
+		proc_reset_options(ns);
+
 	if (!proc_parse_options(options, ns)) {
 		deactivate_locked_super(sb);
 		return ERR_PTR(-EINVAL);
--

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ