| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151021214703.GA1810@redhat.com>
Date: Wed, 21 Oct 2015 23:47:03 +0200
From: Oleg Nesterov <oleg@...hat.com>
To: Denys Vlasenko <dvlasenk@...hat.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Jan Kratochvil <jan.kratochvil@...hat.com>,
Julien Tinnes <jln@...gle.com>,
Kees Cook <keescook@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>,
Pedro Alves <palves@...hat.com>,
Robert Swiecki <swiecki@...gle.com>,
Roland McGrath <roland@...k.frob.com>,
syzkaller@...glegroups.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] wait/ptrace: always assume __WALL if the child is
traced
On 10/21, Denys Vlasenko wrote:
>
> On 10/21/2015 09:59 PM, Denys Vlasenko wrote:
> > On 10/21/2015 12:31 AM, Andrew Morton wrote:
> >> Well, to fix this a distro needs to roll out a new kernel. Or a new
> >> init(8). Is there any reason to believe that distributing/deploying a
> >> new kernel is significantly easier for everyone? Because fixing init
> >> sounds like a much preferable solution to this problem.
> >
> > People will continue to write new init(8) implementations,
> > and they will miss this obscure case.
> >
> > Before this bug was found, it was considered possible to use
> > a shell script as init process. What now, every shell needs to add
> > __WALL to its waitpids?
Why not? I think it can safely use __WALL too.
> > The use of PTRACE_TRACEME in this reproducer is clearly pathological:
> > PTRACE_TRACEME was never intended to be used to attach to unsuspecting
> > processes.
Sure. But people do the things which were never intended to be
used all the time. We simply can not know if this "feature"
already has a creative user or not.
As for the patch,
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -385,6 +385,17 @@ static int ptrace_traceme(void)
> write_lock_irq(&tasklist_lock);
> /* Are we already being traced? */
> if (!current->ptrace) {
> + struct pid_namespace *pid_ns;
> +
> + pid_ns = task_active_pid_ns(current->parent);
> + if (current->parent == pid_ns->child_reaper) {
Well, at least this needs same_thread_group(parent, child_reaper).
Plus we have PR_SET_CHILD_SUBREAPER so we also need to traverse the
->real_parent list if has_subreaper.
Finally it is not clear which ->child_reaper we should use after
setns(pidns_fd).
This all is fixable (although this again reminds me about a bug
with CHILD_SUBREAPER we probably need to fix first). But I didn't
even try to consider this option because it can break something.
And honestly, personally I don't like it. If we believe that we
can do this because "PTRACE_TRACEME was never intended to be used
to attach to unsuspecting processes", then we need a more generic
change, imo.
See http://marc.info/?l=linux-kernel&m=144536282305282 . Just in
case, it is not that I think "parent_exec_id != self_exec_id" is
all we need. This needs more discussion.
Oleg.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists