| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250322185007.GI2023217@ZenIV> Date: Sat, 22 Mar 2025 18:50:07 +0000 From: Al Viro <viro@...iv.linux.org.uk> To: Oleg Nesterov <oleg@...hat.com> Cc: Christian Brauner <brauner@...nel.org>, Kees Cook <kees@...nel.org>, jack@...e.cz, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, syzkaller-bugs@...glegroups.com, syzbot <syzbot+1c486d0b62032c82a968@...kaller.appspotmail.com> Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) On Sat, Mar 22, 2025 at 04:55:39PM +0100, Oleg Nesterov wrote: > No, check_unsafe_execve() is called with cred_guard_mutex held, > see prepare_bprm_creds() Point... > > 3) A calls exec_binprm(), fails (bad binary) > > 4) A clears ->in_exec > > So (2) can only happen after A fails and drops cred_guard_mutex. > > And this means that we just need to ensure that ->in_exec is cleared > before this mutex is dropped, no? Something like below? Probably should work, but I wonder if it would be cleaner to have ->in_exec replaced with pointer to task_struct responsible. Not "somebody with that fs_struct for ->fs is trying to do execve(), has verified that nothing outside of their threads is using this and had been holding ->signal->cred_guard_mutex ever since then", but "this is the thread that..."
Powered by blists - more mailing lists