lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 18 Nov 2021 10:10:18 -0600
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     Kees Cook <keescook@...omium.org>
Cc:     Kyle Huey <me@...ehuey.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Andrea Righi <andrea.righi@...onical.com>,
        Shuah Khan <shuah@...nel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Andy Lutomirski <luto@...capital.net>,
        Will Drewry <wad@...omium.org>,
        "open list\:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>,
        linux-hardening@...r.kernel.org,
        Robert O'Callahan <rocallahan@...il.com>
Subject: Re: [REGRESSION] 5.16rc1: SA_IMMUTABLE breaks debuggers

Kees Cook <keescook@...omium.org> writes:

> On Wed, Nov 17, 2021 at 05:20:33PM -0800, Kyle Huey wrote:
>> Yeah that's one way to solve the problem. I think you're right that
>> fundamentally the problem here is that what SECCOMP_RET_KILL wants is
>> not really a signal. To the extent that it wants a signal, what it
>> really wants is SIGKILL, and the problem here is the code trying to
>> act like SIGKILL but call it SIGSYS. I assume the ship for fixing that
>> sailed years ago though.
>
> Yeah, this was IIRC, a specific design choice (to distinguish a seccomp
> KILL from a SIGKILL), as desired by the sandboxing folks, and instead
> of using two different signals (one for KILL and one for TRAP), both
> used SIGSYS, with the KILL variant being uncatchable.

I see a general consensus on how to fix the regression.  Linus patch
plus some tweaks.  I will get to work on that today.

For v5.15 I think all that needs to get fixed is what Linus fixed
and the force_sigsegv case.  That is my priority.



For v5.16-rc1+ the instances that became force_fatal_signal need
a careful review to figure out which semantics we want.


Having a clear distinction between which forced signals we can let the
debugger intercept and which ones we can not seems to be what needs to
be added.


Kyle thank you for your explanation of what breaks.  For future kernels
I do need to do some work in this area and I will copy on the patches
going forward.  In particular I strongly suspect that changing the
sigaction and blocked state of the signal for these synchronous signals
is the wrong thing to do, especially if the process is not killed.  I
want to find another solution that does not break things but that also
does not change the program state behind the programs back so things
work differently under the debugger.

Eric

Powered by blists - more mailing lists