lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20141126205230.GA22121@redhat.com>
Date:	Wed, 26 Nov 2014 21:52:30 +0100
From:	Oleg Nesterov <oleg@...hat.com>
To:	Lukasz Pawelczyk <l.pawelczyk@...sung.com>
Cc:	Lukasz Pawelczyk <havner@...il.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Michal Hocko <mhocko@...e.cz>,
	David Rientjes <rientjes@...gle.com>,
	Sameer Nanda <snanda@...omium.org>,
	Guillaume Morin <guillaume@...infr.org>,
	Li Zefan <lizefan@...wei.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] kernel/exit.c: make sure current's nsproxy != NULL
	while checking caps

On 11/26, Lukasz Pawelczyk wrote:
>
> My understanding is that while we have to use task_nsproxy()

task_nsproxy() has already gone... probably this doesn't matter but which
kernel version ?

> task's nsproxy and check whether it's NULL, for the 'current' we don't
> have to and it's expected not to be NULL.

Well, unless exit_task_namespaces() was called ;)

> There seem to be no crash currently because of this, but with other LSM
> modules or in future there might be. This is the backtrace:

Confused... backtrace of what? did kernel crash or what?

> 0  smk_tskacc (task=0xffff88003b0b92e0, obj_known=0x2 <irq_stack_union+2>, mode=2, a=0xffff88003be53dd8) at security/smack/smack_access.c:261
> 1  0xffffffff8130e2aa in smk_curacc (obj_known=<optimized out>, mode=<optimized out>, a=<optimized out>) at security/smack/smack_access.c:318
> 2  0xffffffff8130a50d in smack_task_kill (p=0xffff88003b0b92e0, info=<optimized out>, sig=<optimized out>, secid=<optimized out>) at security/smack/smack_lsm.c:2071

I do not know this code, so could you please tell more? How/wher smk_tskacc()
uses ->nsproxy?  smack_access.c:261 leads to the comment header above smk_curacc()
in my tree, so this tells me nothing.

> --- a/kernel/exit.c
> +++ b/kernel/exit.c
> @@ -751,7 +751,6 @@ void do_exit(long code)
>  	exit_fs(tsk);
>  	if (group_dead)
>  		disassociate_ctty(1);
> -	exit_task_namespaces(tsk);
>  	exit_task_work(tsk);
>  	exit_thread();
>  
> @@ -773,6 +772,13 @@ void do_exit(long code)
>  	flush_ptrace_hw_breakpoint(tsk);
>  
>  	exit_notify(tsk, group_dead);
> +
> +	/*
> +	 * This should be after all things that pottentially require
> +	 * process's namespaces (e.g. capability checks).
> +	 */
> +	exit_task_namespaces(tsk);
> +
>  	proc_exit_connector(tsk);

Well, we can probably move exit_task_namespaces() down (perhaps we even
want to move it after exit_task_work).

But I am not sure about exit_notify(), in this case free_nsproxy() can
be called when the caller is already reaped.

In any case, please more details?

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ