From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD9E4C35FF3 for ; Fri, 21 Mar 2025 08:10:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D66ED280002; Fri, 21 Mar 2025 04:10:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D15B4280001; Fri, 21 Mar 2025 04:10:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BDD30280002; Fri, 21 Mar 2025 04:10:31 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id A0080280001 for ; Fri, 21 Mar 2025 04:10:31 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 6CC5281D13 for ; Fri, 21 Mar 2025 08:10:32 +0000 (UTC) X-FDA: 83244836304.19.400DB72 Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf21.hostedemail.com (Postfix) with ESMTP id C46421C0008 for ; Fri, 21 Mar 2025 08:10:30 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=IniCyGxc; spf=pass (imf21.hostedemail.com: domain of kees@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742544630; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2DyNSlHIcZYM636fT4NHfOMnN1XCzv9S1GgyfWGnizs=; b=7Gs1UWlEsiTEcIAtVKCfiQ8SzOUmCHK04aw7XcWlfdUyN7rYjg+a8QykhUjnmcUPaTBiEK Aok9/jtWDg3wfdI9v32clX89Y5p5PZC/CxSIkWdLVZnGrLEXY1DyvuxE76zIcO51bofMC4 Y6CkaAm9lL2iRv1hw0X4nI25EEQ+md4= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=IniCyGxc; spf=pass (imf21.hostedemail.com: domain of kees@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742544630; a=rsa-sha256; cv=none; b=s7G0fZnJilt7ELMDrqsYHNe5uVa45LVhpnsw7NEkFjULdI/w3+Kl7BTsrtazliTd8qi2cg C2Tmc/174haUqHqr0O1CqGYRdQYuqyuPLvM6pB7ANCQCvzZO1ISt9fk5xShwNbmuf39dKt Zq3nPz2fsW73xWkCE8AtI2fLqhbVAQE= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 96435A497B4; Fri, 21 Mar 2025 08:05:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8B03AC4CEE3; Fri, 21 Mar 2025 08:10:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1742544629; bh=CewbNIIS6U+waYSVoQrgh6okwCFZo0yqerVt8T81p3k=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IniCyGxckzZtWj+2dlbb0v64OvYg+bqfKE3IRnc0vd40Sch4Ao4rCs4gqE9RWBRmk agZy2UJsw0/6iXUdOtguUQIwjnkhzHR1T/8wjKqQqXeY5rmTsXmZsnGmhLewHWziqs S8okXkG1Zo0sS3kUSx/dV6erJKLVt6sV2gv9NNT7N4vAg2MKFJ2sudPOpC8gWE+ffR ogp+s89hcRX5EDW6CyTE2QYwczzCWfRdvLTsS8AJD76nvB8GHLgR7FL5BRdcxFAYWY GpPC4cCSkGuB6W1tFn28/gf96wrZDPkePQWPKLH+SvbOZO6B7Xw284VGdl5pmDamVS 96L2717LMZRJA== Date: Fri, 21 Mar 2025 01:10:26 -0700 From: Kees Cook To: Al Viro Cc: Oleg Nesterov , brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) Message-ID: <202503210019.F3C6D324@keescook> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <202503201225.92C5F5FB1@keescook> <20250321014423.GA2023217@ZenIV> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250321014423.GA2023217@ZenIV> X-Rspamd-Queue-Id: C46421C0008 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: p7gj4pur34ogf9ar4dte8im73d9ibxd8 X-HE-Tag: 1742544630-853965 X-HE-Meta: U2FsdGVkX19IBy2/OHlPb8KI5n4UrsmLuGrwduM6xxQ9yWa+bupND8vW/LZ0tKpvsKZ6q5RWDa3MtzZqwoHNkXcHZ00PI7KtEgQBym7W/WOPv0ysDEtIzFwYDIHINY3A5pO6WkOWObU2EipbvZ2Tl6S6une9t9ASP1DDWlK20w9C9YCn4l2/G93aUq0bY1h7kztMc7oXdbam80K6b2gjs8yI9tyFwQ5rc0JQAmpCWrPwnHwNa+cQtzwZ8+TJtYZNOpN4HZvhbU0EY9fctMgQvRSydWQc5qVw4aA48vHyAmNygrVMrZnv9l5RM9MeqrkgZDqH9nLTKKIHMgVl3pn9qR1sd25w2ehnBp7zqr/w2lbofbB4kU6Mqjg5sbxcVZjw8MxRs+wpjmRV2tduOJCb3VwlCpnpULOkW6ST5aiRBlMPrtx8IELIWttZbLj5rQwBv/PGAzE14RWX20Jp0eGB2rPjJOmfFBkkQ0XsRbMMkEva55RyRzmsiBAa7f0uidC9sSaUUXTQdfJbj6+S7BW/mZrNN3zi6uOqIqv6okHwAko+cukh/K3voW+IsmkH5lxQEedm44bC02YpSFqRf047hmarbXxxMsTEzDiK2FPtmdqg0DD41vWwnaisKdj0SzChKM9tha+0ZNb6ik2gI09OCMWeRO8H5tWh58RYLSYcfixPJLItIzVG6m7Ws1gqK6xrHhicoRqPoD9UbNr5pdzkcbfh8ZV8YFtiIfkwT6YQLq9W5GIm9YMwAh1M56c+EIjrn2stPMGb3uw1WGVlaglH66K3U8r4WHxryKMOBKNsspCE+9AJdvSegmzPVJRLTEbY0296IW7TxaCW271zqn1ntnWuBQab62ecELnuGm06e0o5+B3LCm+YhQMOM+Q+F3w4GvQdSZ3/vWmffcjWlX9eO5i56NbzCJSZaZubllqSbMbyrnZ18qMahtcRNTWg0bKHacXR1WVQW7HBH5OR3DD yngDGuXL 7tXzmrEPffTDz8h/4OWUgud/g04dXalQSe+G4YdALRmf2d9GPCvpwGjHLALVTTSAcTfL5KkqAY8YBSCmLDzbVaKHxAhJLRCgbd0+I8hEznGm7PWIgIwnRa2+mGtgt0g6rH1uy/EQZ2Ch6zFYKbP/QRYaBk7jkj9IPo+K16EQ0rxSyewuo1kOVcqpZfC5C2n1z+MVAdQXw7cXD44iFLkmiDY0VJfScmG9RvCVLeBo3CCy36zbG3tXWgjsBVTXe1AONB51fNvEPI0GMHMqeISgWWmOtFcD4A7fqwaI4AN6kBgAMeBwsUhd3WQUyD9u0JxtWDH7/iP70V6alj5ylWqkcHLOsmo6uMXZJCkvAINS+DlHM4i7AB3cKl8A6ETl2k6Mit6hRXyBeFMBG1Bn+9T7887ZJy3EjRzU6wE95EryfoNxeCuXlF6voUdZ19Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Mar 21, 2025 at 01:44:23AM +0000, Al Viro wrote: > On Thu, Mar 20, 2025 at 01:09:38PM -0700, Kees Cook wrote: > > > What I can imagine here is two failing execs racing a fork: > > > > A start execve > > B fork with CLONE_FS > > C start execve, reach check_unsafe_exec(), set fs->in_exec > > A bprm_execve() failure, clear fs->in_exec > > B copy_fs() increment fs->users. > > C bprm_execve() failure, clear fs->in_exec > > > > But I don't think this is a "real" flaw, though, since the locking is to > > protect a _successful_ execve from a fork (i.e. getting the user count > > right). A successful execve will de_thread, and I don't see any wrong > > counting of fs->users with regard to thread lifetime. > > > > Did I miss something in the analysis? Should we perform locking anyway, > > or add data race annotations, or something else? > > Umm... What if C succeeds, ending up with suid sharing ->fs? I still can't quite construct it -- fs->users is always correct, I think? Below would be the bad set of events, but it's wrong that "fs->users==1". If A and C are both running with CLONE_FS then fs->users==2. A would need to exit first, but it can't do that and also set fs->in_exec=0 A execve, reaches bprm_execve() failure path B fork with CLONE_FS, reaches copy_fs() C execve, reaches check_unsafe_exec() C takes fs->lock, counts, finds safe fs->users==1, sets in_exec=1, unlocks A sets fs->in_exec=0 B takes fs->lock, sees in_exec==0, does fs->users++, unlocks C goes setuid, sharing fs with unpriv B Something still feels very weird, though. Does fs->in_exec not matter at all? Hmm, no, it stops fs->users++ happening after it was validated to be 1. -- Kees Cook