| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jun 2021 13:18:07 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Jann Horn <jannh@...gle.com>
Cc: Andy Lutomirski <luto@...nel.org>, Andrei Vagin <avagin@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
linux-um@...ts.infradead.org, criu@...nvz.org, avagin@...gle.com,
Andrew Morton <akpm@...ux-foundation.org>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Christian Brauner <christian.brauner@...ntu.com>,
Dmitry Safonov <0x7f454c46@...il.com>,
Ingo Molnar <mingo@...hat.com>, Jeff Dike <jdike@...toit.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
Michael Kerrisk <mtk.manpages@...il.com>,
Oleg Nesterov <oleg@...hat.com>,
"Peter Zijlstra \(Intel\)" <peterz@...radead.org>,
Richard Weinberger <richard@....at>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 2/4] arch/x86: implement the process_vm_exec syscall
Jann Horn <jannh@...gle.com> writes:
> On Mon, Jun 28, 2021 at 6:30 PM Andy Lutomirski <luto@...nel.org> wrote:
>> On Mon, Jun 28, 2021, at 9:13 AM, Jann Horn wrote:
>> > On Wed, Apr 14, 2021 at 7:59 AM Andrei Vagin <avagin@...il.com> wrote:
>> > > This change introduces the new system call:
>> > > process_vm_exec(pid_t pid, struct sigcontext *uctx, unsigned long flags,
>> > > siginfo_t * uinfo, sigset_t *sigmask, size_t sizemask)
>> > >
>> > > process_vm_exec allows to execute the current process in an address
>> > > space of another process.
>> > [...]
>> >
>> > I still think that this whole API is fundamentally the wrong approach
>> > because it tries to shoehorn multiple usecases with different
>> > requirements into a single API. But that aside:
>> >
>> > > +static void swap_mm(struct mm_struct *prev_mm, struct mm_struct *target_mm)
>> > > +{
>> > > + struct task_struct *tsk = current;
>> > > + struct mm_struct *active_mm;
>> > > +
>> > > + task_lock(tsk);
>> > > + /* Hold off tlb flush IPIs while switching mm's */
>> > > + local_irq_disable();
>> > > +
>> > > + sync_mm_rss(prev_mm);
>> > > +
>> > > + vmacache_flush(tsk);
>> > > +
>> > > + active_mm = tsk->active_mm;
>> > > + if (active_mm != target_mm) {
>> > > + mmgrab(target_mm);
>> > > + tsk->active_mm = target_mm;
>> > > + }
>> > > + tsk->mm = target_mm;
>> >
>> > I'm pretty sure you're not currently allowed to overwrite the ->mm
>> > pointer of a userspace thread. For example, zap_threads() assumes that
>> > all threads running under a process have the same ->mm. (And if you're
>> > fiddling with ->mm stuff, you should probably CC linux-mm@.)
>>
>> exec_mmap() does it, so it can’t be entirely impossible.
>
> Yeah, true, execve can do it - I guess the thing that makes that
> special is that it's running after de_thread(), so it's guaranteed to
> be single-threaded?
Even the implementation detail of swapping the mm aside. Even the idea
of swaping the mm is completely broken, as an endless system calls
depend upon the state held in task_struct. io_uring just tried running
system calls of a process in a different context and we ultimately had
to make the threads part of the original process to make enough things
work to keep the problem tractable.
System calls deeply and fundamentally depend on task_struct and
signal_struct.
I can think of two possibilities.
1) Hijack and existing process thread.
2) Inject a new thread into an existing process.
Anything else is just an exercise in trouble. Of this I think Hijacking
an existing thread is the only one that won't require lots of tracking
down of special cases. I seem to remember audit is still struggling
with how to properly audit io_uring threads.
Eric
Powered by blists - more mailing lists