| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5jLW9ZcQAy6+39a7iEpfDqUTTBJA9e8r51C4gVTrOqKjgQ@mail.gmail.com>
Date: Mon, 17 Jul 2017 23:39:43 -0700
From: Kees Cook <keescook@...omium.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
David Howells <dhowells@...hat.com>,
Serge Hallyn <serge@...lyn.com>,
John Johansen <john.johansen@...onical.com>,
Casey Schaufler <casey@...aufler-ca.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Michal Hocko <mhocko@...nel.org>,
Ben Hutchings <ben@...adent.org.uk>,
Hugh Dickins <hughd@...gle.com>,
Oleg Nesterov <oleg@...hat.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Rik van Riel <riel@...hat.com>,
James Morris <james.l.morris@...cle.com>,
Greg Ungerer <gerg@...ux-m68k.org>,
Ingo Molnar <mingo@...nel.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
Paul Moore <paul@...l-moore.com>,
Vivek Goyal <vgoyal@...hat.com>,
Mickaël Salaün <mic@...ikod.net>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
"<linux-security-module@...r.kernel.org>"
<linux-security-module@...r.kernel.org>,
SE Linux <selinux@...ho.nsa.gov>
Subject: Re: [PATCH v2 1/8] exec: Correct comments about "point of no return"
On Mon, Jul 10, 2017 at 10:07 AM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
> Kees Cook <keescook@...omium.org> writes:
>
>> On Mon, Jul 10, 2017 at 1:46 AM, Eric W. Biederman
>> <ebiederm@...ssion.com> wrote:
>>>
>>> But you miss it.
>>>
>>> The "point of no return" is the call to de_thread. Or aguably anything in
>>> flush_old_exec. Once anything in the current task is modified you can't
>>> return an error.
>>>
>>> It very much does not have anything to do with brpm. It has
>>> everything to do with current.
>>
>> Yes, but the thing that actually enforces this is the test of bprm->mm
>> and the SIGSEGV in search_binary_handlers().
>
> So what. Calling that the point of no return is wrong.
>
> The point of no return is when we kill change anyting in signal_struct
> or task_struct. AKA killing the first thread in de_thread.
Well, okay, I think this is a semantic difference. Prior to bprm->mm
being NULL, there is still an error return path (yes?), though there
may have been side-effects (like de_thread(), as you say). But after
going NULL, the exec either succeeds or SEGVs. It is literally the
point of no "return".
> It is more than just the SIGSEGV in search_binary_handlers that enforces
> this. de_thread only returns (with a failure code) after having killed
> some threads if those threads are dead.
This would still result in the exec-ing thread returning with that error, yes?
> Similarly exec_mmap only returns with failure if we know that a core
> dump is pending, and as such the process will be killed before returning
> to userspace.
Yeah, I had looked at this code and mostly decided it wasn't possible
for exec_mmap() to actually get its return value back to userspace.
> I am a little worried that we may fail to dump some threads if a core
> dump races with exec, but that is a quality of implementation issue, and
> the window is very small so I don't know that it matters.
>
> The point of no return very much comes a while before clearing brpm->mm.
I'm happy to re-write the comments, but I was just trying to document
the SEGV case, which is what that comment was originally trying to do
(and got lost in the various shuffles).
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists