From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27CB5C35FF3 for ; Fri, 21 Mar 2025 08:49:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6BBAA280003; Fri, 21 Mar 2025 04:49:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 669B1280001; Fri, 21 Mar 2025 04:49:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 53208280003; Fri, 21 Mar 2025 04:49:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 355B6280001 for ; Fri, 21 Mar 2025 04:49:28 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id DCB27AC7E5 for ; Fri, 21 Mar 2025 08:49:29 +0000 (UTC) X-FDA: 83244934458.10.5779227 Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf23.hostedemail.com (Postfix) with ESMTP id 52B4B140005 for ; Fri, 21 Mar 2025 08:49:28 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=R3i3J29x; spf=pass (imf23.hostedemail.com: domain of brauner@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742546968; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=6d7yXOUJ3y7kqRkJc6gDEoENkc0RSZ3IgGcvXhKk8I0=; b=ru25L9yhLUbiT5M8DldU/DHKp/2XC+20MG9g0ghHnDXfDiDYXJ7mjqSWO2akzEW2lqZfAc kC5rTVgcWOsCdtcp4g7jEECHadWSegZom0OwTHGY3SogjeO56sg+dtaezcQx2BIOnq+Wpz xLsvjMVP7OvLjO54tlkd93DMbp4S7o0= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=R3i3J29x; spf=pass (imf23.hostedemail.com: domain of brauner@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742546968; a=rsa-sha256; cv=none; b=2yrhga+VCBBbbh91YtzcmMAsUoOMbvnSnyvywHxIrfHKy81wFuWr/DqVWJcjojaqC7Vw9n rWv9yXsqeHJAckPNkVIicxAuvsGoIT6wjZqtmrtM5t+hMLXXpx3yXJwCJWhwQbTT+YKbjY Srm1n44qeybicJ9Y/CPucVvOymzelz8= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 416DCA49697; Fri, 21 Mar 2025 08:43:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A2079C4CEE3; Fri, 21 Mar 2025 08:49:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1742546967; bh=5tlGgGOCOEOLWJ760wOpsG4r1f3W2XkvMyV+/1s6GOs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=R3i3J29xLh9feBsXQsFiKfXEO1feWq+/yRnT/MwgquJeNQnQNNExeJOFxMPSwy/fa a6P6AQ4kdl7wnGdn/BNYNBvIxAjJvFgOPEmttCLCmRSvt9Ti/Y2TYFzDpSa5YupiNE kiUXH5Oz1raV0Zar7sCOFbTl5qelxyM3NyD66YEoWu2jxQRvNwR/3dmhgrdwWeVv3a mDn/70ckUyPjO2w5YcOd8gPK/6QNiSitxvlGEBHtIPD5WqxpN1yNPic4tAyM1h4S+N 5OwZ6K7r9i7cycDAAUJZfiYQPD38rFaHaFa+jcsn2+tA4psIGfLwQVIcqFNkPGLlIm LLMz5mH0Nq3Ow== Date: Fri, 21 Mar 2025 09:49:22 +0100 From: Christian Brauner To: Kees Cook Cc: Al Viro , Oleg Nesterov , jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) Message-ID: <20250321-languste-farbig-e68aef9f4ac8@brauner> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <202503201225.92C5F5FB1@keescook> <20250321014423.GA2023217@ZenIV> <202503210019.F3C6D324@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <202503210019.F3C6D324@keescook> X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 52B4B140005 X-Stat-Signature: 54w9juphni3dnntxc9ztqakzgda7stpt X-HE-Tag: 1742546968-536111 X-HE-Meta: U2FsdGVkX1+DN4p4OwJ2fC+bqCGMtEft0UkQ33Ojp9uP0cxze6lgCk7HQPvk4XJlkRv951+Pb0UpGFo/2dIDaWYEHMiLrqGAnwLPfCgvTCuh+5CFuKdWwUcmMU81t2cNi3IjoiXaiDggwLybx96SuZFApj+ssTsE8NDf+g/qMkL9i+tnyiOjPHgJeEaCasZL78G7mqqU5Sve7OkhyY7Wc6sg7NmQEBXZBsQ4WH6NsFkF9D1pFBBEbH0a1SlzjL3278iMVNvafTfhODyNOXz8yXsxt+ey+7fp4QhMRd/LNlkXc07ky+68SbMONWtSZtXHCMAxifF8ai+nBRlvVlSQfA5J823J29SCyrw+rbUruuV4R1m72pDXghopD5WxE0156HRhumAXjxzkGoasfa+fslNdAg8yMxFQAs5/49h8PviTvmTbZOyj2ZNSFlGE/UmE6/zYK6vErdp7fkMjTVwMpElWuGDOA7fy41O7tDEOvJkHMKECuOnLsnBhpbtOmSXxq98VEAUtFj2B2J0c88EpLEh0+Xsztl/M4LybrDkH89gSCv5TPbWI9jlUtTxRelzeiyH8Urjxrx1nKstR9Hbvgd4B1OtA60oRXp+xlbQHQtTPZ8/CvYOvseGvIN0dnO3TEIH3pC10KNsjbwj0u1+k6LQFfixNMoUJ0vlezUi+Ry3oxrkqmgCEnh+LBxbDER4om9eoEKrOpPAuvyUy18bxXf/eyrS2HyONSeBibBCytAgjIVt9lsnP4T0FnTVAWd78fGMxFJdIqzIb6bn3oiP9sSjSGzIirD8/DAok627vOc1eZGhl5O7YaVy5ngCXnPmT115IcfzhbIFjzw376BtLyhATZIPQvcOhpVXXdtllnlfOOeb0KTyv/EzTrL0YyZo4LjOleyO75NTbctBEOorrTXe7tlgPQvnngmocO1nQ3mM9SyT2jgw2n4z49ZbB/EOJMx3yHIXmXl5MxeUxYo/ /8q4S+GR 6RLJf5ubHNByzwwuKXtP2gh0nYGpH/Ircc89OcDfQmdx+nViSpGGZCJhMYquowoI0PNdhQ6BnP8x5ZI364kI+KtHimdgsBPHfIAUjcCYMYHWFQp2UgMD2a4Z6d1947H8wgzsBOkODj70PZLbUaCsyquc3QlFfohbTULaAyor3PYa52KSk3Rc1/Q0JL+WYL9UfOJFyphz/S9rCpsumKr2lPOiImCgHxlYn8lEAQl9YnO0KHuumCdVU+OPaUhjY+aTYFumlqZslH0MqWIU0jimZF+iWRf75CdN98XWoXA9mviNv4h0C95i9fl6yutTMEQ5efepPLDOaxuT/wQ7BbtTbts/gT+/myCrxwY/6mk8KenXXxtNeiAVO8lJ7s/qBwuRbEJlQhoAEs3sgGYWPDUlKVLkrGfUbKSzB/V6RcOVZJlirKDTB5KQOHmoTdj9KGYal7BT+MD1XP/K9yN1I+5pNS6NiaHSPXOJyYyj571s51W9xvRM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Mar 21, 2025 at 01:10:26AM -0700, Kees Cook wrote: > On Fri, Mar 21, 2025 at 01:44:23AM +0000, Al Viro wrote: > > On Thu, Mar 20, 2025 at 01:09:38PM -0700, Kees Cook wrote: > > > > > What I can imagine here is two failing execs racing a fork: > > > > > > A start execve > > > B fork with CLONE_FS > > > C start execve, reach check_unsafe_exec(), set fs->in_exec > > > A bprm_execve() failure, clear fs->in_exec > > > B copy_fs() increment fs->users. > > > C bprm_execve() failure, clear fs->in_exec > > > > > > But I don't think this is a "real" flaw, though, since the locking is to > > > protect a _successful_ execve from a fork (i.e. getting the user count > > > right). A successful execve will de_thread, and I don't see any wrong > > > counting of fs->users with regard to thread lifetime. > > > > > > Did I miss something in the analysis? Should we perform locking anyway, > > > or add data race annotations, or something else? > > > > Umm... What if C succeeds, ending up with suid sharing ->fs? > > I still can't quite construct it -- fs->users is always correct, I > think? > > Below would be the bad set of events, but it's wrong that "fs->users==1". > If A and C are both running with CLONE_FS then fs->users==2. A would need to > exit first, but it can't do that and also set fs->in_exec=0 > > A execve, reaches bprm_execve() failure path > B fork with CLONE_FS, reaches copy_fs() > C execve, reaches check_unsafe_exec() > C takes fs->lock, counts, finds safe fs->users==1, sets in_exec=1, unlocks > A sets fs->in_exec=0 > B takes fs->lock, sees in_exec==0, does fs->users++, unlocks > C goes setuid, sharing fs with unpriv B > > Something still feels very weird, though. Does fs->in_exec not matter at > all? Hmm, no, it stops fs->users++ happening after it was validated to be 1. This is a harmless data race afaict. See my other mail.