lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131218201940.GA9694@redhat.com>
Date:	Wed, 18 Dec 2013 21:19:41 +0100
From:	Oleg Nesterov <oleg@...hat.com>
To:	Richard Guy Briggs <rgb@...hat.com>
Cc:	John Johansen <john.johansen@...onical.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] apparmor: remove the "task" arg from
	may_change_ptraced_domain()

On 12/18, Richard Guy Briggs wrote:
>
> Bcc: rgb@...hat.com
> Subject: Re: [PATCH] apparmor: remove the "task" arg from
>  may_change_ptraced_domain()
> Reply-To:
> In-Reply-To: <20130926132519.GY13968@...cap2.tricolour.ca>

The subject is empty ;) I changed it to match the above.

> On 13/09/26, Richard Guy Briggs wrote:
> > On Tue, Sep 24, 2013 at 06:44:42PM +0200, Oleg Nesterov wrote:
> > > On 09/23, Richard Guy Briggs wrote:
> > > >
> > > > On Mon, Sep 16, 2013 at 04:20:35PM +0200, Oleg Nesterov wrote:
> > > > > Unless task == current ptrace_parent(task) is not safe even under
> > > > > rcu_read_lock() and most of the current users are not right.
> > > >
> > > > Could you point to an explanation of this?
> > >
> > > If this task exits before rcu_read_lock() ->parent can point to the
> > > already freed/reused memory.
> >
> > Ok, understood.  So even though the task may have exited, the task
> > struct pointer is still valid, but not the contents of the task struct
> > to which it points.
>
> [The thread also relates to the patch
> 	"pid: get ppid pid_t of task in init_pid_ns safely"
> in which sys_getppid() (which appears safe) is replaced with something that
> references the init_pid_ns rather than current's pid_ns.]
>
> So, in the general case, that call is not safe, and we should at least
> remove the task_struct argument.

I changed my mind, please see the recent discussion with Paul:

	http://marc.info/?t=138626281900001

instead we should document why ptrace_parent() is safe without pid_alive().

I hope that the change in apparmor was fine anyway.


Otherwise I can't understand your email, at least right now... I do not
know how/where audit uses parent/real_parent.

But yes, unless tsk == current, the usage of tsk->*parent is not safe even
under rcu_read_lock() unless you verify that this task was not unhashed.

ptrace_parent() is safe because it checks ->ptrace. Previously I thought
we should not rely on this, but the additional pid_alive() looks ugly so
it would be better to simply document this. I'll send the patch.

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ