lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120308190303.GG21812@moon>
Date:	Thu, 8 Mar 2012 23:03:03 +0400
From:	Cyrill Gorcunov <gorcunov@...nvz.org>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	Matt Helsley <matthltc@...ibm.com>,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	Pavel Emelyanov <xemul@...allels.com>,
	Kees Cook <keescook@...omium.org>, Tejun Heo <tj@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [RFC] c/r: prctl: Add ability to set new mm_struct::exe_file v3

On Thu, Mar 08, 2012 at 07:26:23PM +0100, Oleg Nesterov wrote:
> On 03/08, Cyrill Gorcunov wrote:
> >
> > Hi Oleg, could you please take a look once you get a minute (no urgency).
> 
> Add Matt. I won't touch the text below to keep the patch intact.

Thanks for CC'ing Matt, Oleg (I forgot, sorry).

> 
> With this change
> 
> 	down_write(&mm->mmap_sem);
> 	if (mm->num_exe_file_vmas) {
> 		fput(mm->exe_file);
> 		mm->exe_file = exe_file;
> 		exe_file = NULL;
> 	} else
> 		set_mm_exe_file(mm, exe_file);
> 	up_write(&mm->mmap_sem);
> 
> I simply do not understand what mm->num_exe_file_vmas means after
> PR_SET_MM_EXE_FILE.
> 
> I think that you should do
> 
> 	down_write(&mm->mmap_sem);
> 	if (mm->num_exe_file_vmas) {
> 		fput(mm->exe_file);
> 		mm->exe_file = exe_file;
> 		exe_file = NULL;
> 	}
> 	up_write(&mm->mmap_sem);
> 
> to keep the current "mm->exe_file goes away after the final
> unmap(MAP_EXECUTABLE)" logic.
> 
> OK, may be this doesn't work in c/r case because you are actually
> going to remove the old mappings? But in this case the new exe_file
> will go away anyway, afaics PR_SET_MM_EXE_FILE is called when you
> still have the old mappings.

Yes, exactly, I need to remove old mappings first (because VMAs
we're about to restore may intersect with current map the host
program has). And yes, once they all are removed I don't have
/proc/pid/exe anymore. That's why I need num_exe_file_vmas == 0
case.

When I setup new exe_file with num_exe_file_vmas = 0, this reference
to a file brings /proc/pid/exe back to live (and when process exiting
it'll call set_mm_exe_file(mm, NULL) and the new exe_file will be dropped,
so no leak here).

> 
> And I don't think the unconditional
> 
> 	down_write(&mm->mmap_sem);
> 	set_mm_exe_file(mm, exe_file);
> 	up_write(&mm->mmap_sem);
> 
> is 100% right, this clears ->num_exe_file_vmas. This means that
> (if you still have the old mapping) the new exe_file can go away
> after added_exe_file_vma() + removed_exe_file_vma(). Normally this
> should happen, but afaics this is possible. Note that even, say,
> mprotect() can trigger added_exe_file_vma().
> 

Wait, Oleg, I'm confused, in case if there *is* exitsting VM_EXECUTABLEs
then we jump into first banch and simply replace old exe_file.
If there is no VM_EXECUTABLEs, then we simply setup new exe_file
and num_exe_file_vmas remains zero.

Or I miss something obvious and we somehow can cause the kernel
to map VM_EXECUTABLEs out of binfmt-elf loader?

> May be we can do something like
> 
> 	down_write(&mm->mmap_sem);
> 	set_mm_exe_file(mm, exe_file);
> 	// we are cheating anyway, make sure it can never == 0
> 	// if we have the "old" VM_EXECUTABLE vmas.
> 	mm->num_exe_file_vmas = LONG_MAX;
> 	up_write(&mm->mmap_sem);
> 
> I dunno. Matt, could you help?

	Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ