lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 13 Aug 2020 09:46:55 +0200
From:   Christian Brauner <christian.brauner@...ntu.com>
To:     hui yang <yanghui.def@...il.com>
Cc:     christian@...uner.io, peterz@...radead.org, christian@...lner.me,
        tglx@...utronix.de, linux-kernel@...r.kernel.org, wad@...omium.org
Subject: Re: [PATCH v2] mm: LMK, adjust oom_score_adj when fork a new process

On Thu, Aug 13, 2020 at 10:53:31AM +0800, hui yang wrote:
> From: YangHui <yanghui.def@...il.com>
> 
> Also it rely on inheritance,But there are some things you need't inheriting
> if all children oom_score_adj is -1000,the oom is meaningless

I can just reapeat what I said before: we will not be changing
inheritance behavior. It will break userspace.

And there's more problems.
Changing oom_score_adj is usually guarded by CAP_SYS_RESOURCE. It
doesn't seem like the change here adresses that in the code or in the
commit message. So from what I can tell this change here means, that a
parent process that has a "always kill" or "never kill" oom score can
spawn children that don't. That's at least surprising and at worst a
potential security issue.

In addition, given that you assign OOM_SCORE_ADJ_MIN to
oom_score_adj_min you also seem to basically allow the child process to
set /proc/<pid>/oom_score_adj to whatever low value after fork the
process sees fit without requiring CAP_SYS_RESOURCE basically enabling a
process to set itself to never be killed even though it's parent might
have been in "always kill" mode. See in fs/proc/base.c:

if ((short)oom_adj < task->signal->oom_score_adj_min &&
		!capable(CAP_SYS_RESOURCE)) {
	err = -EACCES;
	goto err_unlock;
}

Excuse my french but that's crazy and a security issue imho.

So we won't be taking this patch, sorry!

For future patches, you should also explain why you need this change.
The commit message here makes it seem you're asking for that change
without any specific reason. That's not just against expectations but
also problematic here because this is a uapi change where we're usually
very strict.

Christian

> 
> Signed-off-by: YangHui <yanghui.def@...il.com>
> ---
>  include/uapi/linux/oom.h | 1 +
>  kernel/fork.c            | 4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/oom.h b/include/uapi/linux/oom.h
> index 750b1c5..0251f23 100644
> --- a/include/uapi/linux/oom.h
> +++ b/include/uapi/linux/oom.h
> @@ -8,6 +8,7 @@
>   */
>  #define OOM_SCORE_ADJ_MIN	(-1000)
>  #define OOM_SCORE_ADJ_MAX	1000
> +#define OOM_SCORE_ADJ_DEFAULT  0
>  
>  /*
>   * /proc/<pid>/oom_adj set to -17 protects from the oom killer for legacy
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 4d32190..9dfa388 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1584,8 +1584,8 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
>  	tty_audit_fork(sig);
>  	sched_autogroup_fork(sig);
>  
> -	sig->oom_score_adj = current->signal->oom_score_adj;
> -	sig->oom_score_adj_min = current->signal->oom_score_adj_min;
> +	sig->oom_score_adj = OOM_SCORE_ADJ_DEFAULT;
> +	sig->oom_score_adj_min = OOM_SCORE_ADJ_MIN;
>  
>  	mutex_init(&sig->cred_guard_mutex);
>  	mutex_init(&sig->exec_update_mutex);
> -- 
> 2.7.4
> 

Powered by blists - more mailing lists