[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87h78pknm1.fsf@email.froward.int.ebiederm.org>
Date: Wed, 23 Feb 2022 20:24:54 -0600
From: "Eric W. Biederman" <ebiederm@...ssion.com>
To: Yun Levi <ppbuk5246@...il.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Kees Cook <keescook@...omium.org>,
linux-fsdevel@...r.kernel.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] fs/exec.c: Avoid a race in formats
Yun Levi <ppbuk5246@...il.com> writes:
>> Mostly of what has been happening with binary formats lately is code
>> removal.
>>
>> So I humbly suggest the best defense against misuse by modules is to
>> simply remove "EXPORT_SYMBOL(__register_binfmt)".
>
> It could be a solution. but that means the kernel doesn't allow
> dynamic binfmt using modules too.
> I think the best safe way to remove registered binfmt is ...
>
> unregister binfmt list first ---- (1)
> synchronize_rcu_task();
> // tasklist stack-check...
> unload module.
>
> But for this, there shouldn't happen in the above situation of (1).
> If unregister_binfmt has this problem.. I think there is no way to
> unload safely for dynamic registered binfmt via module.
I took a quick look and unregistering in the module exit routine looks
safe, as set_binfmt takes a module reference, and so prevents the module
from being unloaded.
If you can find a bug with existing in-kernel code that would be
interesting. Otherwise you are making up assumptions that don't current
match the code and saying the code is bugging with respect to
assumptions that do not hold.
The code in the kernel is practical not an implementation of some
abstract that is robust for every possible use case.
Eric
Powered by blists - more mailing lists