From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E337C36002 for ; Sat, 22 Mar 2025 10:23:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 093E7280002; Sat, 22 Mar 2025 06:23:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0430A280001; Sat, 22 Mar 2025 06:23:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E4D0D280002; Sat, 22 Mar 2025 06:23:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id C7B23280001 for ; Sat, 22 Mar 2025 06:23:27 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 65C9458565 for ; Sat, 22 Mar 2025 10:23:28 +0000 (UTC) X-FDA: 83248800096.29.2B9011F Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf07.hostedemail.com (Postfix) with ESMTP id CC65A40006 for ; Sat, 22 Mar 2025 10:23:26 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=RCINIn1l; spf=pass (imf07.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742639006; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=odgZkD60/azPxqIMRtSI58ju3IMGXAqK9XkLceiSaxU=; b=5Sn6A8r2P4SbFt7vQO/7eeaaebWgeXTwt6Z3zqjqTSnOpj4c/utc3L3wT1Xr5A3l8hF59n K/k5T/1afEDKjhAquouu7JNZRr9L8t0ZniR6y7RMjJIYv9rnDDinkp+iCLrnJSgldVouPD ux0GJlhYmX0Ld5Xk1icSZ7nRLWGZhhw= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742639006; a=rsa-sha256; cv=none; b=EE4Vj8jU0jDUCo4BhLsKtzakBbTcoDwahjsV4UNJl0o9DULpZfd43xc4Td4/MgVdD5X3Tg GtSxOkDm0g/DRLa5zP86o666+ZuPKfOFTaGa04uk8pEuhUCwrXvuftKj7A+4i5oIuY7as7 Dc25ebWALCDkMQ/54KFh3HRDcyMAwk0= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=RCINIn1l; spf=pass (imf07.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 5321161598; Sat, 22 Mar 2025 10:23:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B2F86C4CEDD; Sat, 22 Mar 2025 10:23:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1742639005; bh=t+PIvS79Qf0n/qUFkEgtZFqVsT7vv4uoH0INvOthFUA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=RCINIn1lyvOjbb3rB21I50hIooClHoF4/rI+lIxAfdh5Acj3r8LgSR4vbji0uudVE xBRnOujwOhyO3W3GmMjN9lMs1YYHcY13sCWfBZvfYUZuHhbORtWvss1fmUS8lrW+Ka Z2yclWa66pKhIWLb6ahQvaTNQmvtyOGZP60rgVTTeLgKkpV528f5l2KjVp5WEKk9tD EOWo6AtAqcpSlUYSRBTW1pOFXa2ugCLjNtz56+OFWvmxhQcZMdK5XwnY3EJA7NEGhn 6KHMUzIThHwhz+xA9VOtl3M77AbzEUSjog8STDlStWCqW6dfuIH1DrLe88owiHizFW osMTnXul6BAkw== Date: Sat, 22 Mar 2025 11:23:21 +0100 From: Christian Brauner To: Al Viro Cc: Kees Cook , Oleg Nesterov , jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) Message-ID: <20250322-nettigkeiten-weitreichend-fa9e8ee6875b@brauner> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <202503201225.92C5F5FB1@keescook> <20250321-abdecken-infomaterial-2f373f8e3b3c@brauner> <20250322010008.GG2023217@ZenIV> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20250322010008.GG2023217@ZenIV> X-Stat-Signature: jboke8zt7afgw1wd891a8phopukh9ab8 X-Rspam-User: X-Rspamd-Queue-Id: CC65A40006 X-Rspamd-Server: rspam08 X-HE-Tag: 1742639006-267834 X-HE-Meta: U2FsdGVkX19N9ydatyKRq2e6VMDQXQx1WjLEXJQU0wvzMqO835rJHC0OFpYI6etW15p0aL/1bgZaQ3Qc2PxHYxK53Q6EWXQ+l/SBbzb9DwW/hOPMgUGJF+68B8MCLNSG6yFsYQ4MaXSv4c7MRJ30HphtkDhXJoyhOFUv5Au9iBooKGDLF/oo1qZn4oFxI73H6YCCJAyUsYWoitAd95tNuReE0DsqmQca5lKFc4IKXzN7wmg0ZNnziGmp+CTr3mChXAQt9h3/ZC30X5viVmoffygseVvI70MKiDFX8NRsXTbn2pp55f1oVE6TiR3cZV3OJaMjaNzzsO4jSLLQQpf5mWvSlmPjfamyalvsh3S5IH2CGjXNuyk40UM2pHnhdjRJkVvFVKOK8t6RjxtxdAIhGTQvLXM1L0gn2/LpiLNX59hBVaNZFIPbOO7vQLPgpEcDXUWzCKT2rDYAN94yY8ZDKmTgIgmpBkuAqOSv0DybP7EO768lp14XVnI74gsc9ocrbGzzwnSbBAU5Ed1sIo5ENG5+rEtI0QGpzI740YfzRC6szIinrC8okZ6wtBIycCGj+OHRjNmwS/T274V98uJm9f60pc9wYSSXLkW1MvB8n4VPIsxqASWwr3SOlgZ4y8vX/226lcshsY1HYOw3ocJ4Ek0jqLbJS3gRZElYv80JQPB8NUUsrN/U9QCBOJAKHDrVvvWZAqHrN6mtAgAc8K7qpAfYSq6co9eHrtBOMiUgQHnh4pqM/JK0QCtOkdaUOniHkc/mCFIaRcanYymLP24SgRyr0LgJs21fN8AOfRZkjD9lH6vttBwp2TvLhxgrHEYJ2zXOF2DVdErgFXqNhS5N9kEPEe2ZumDGd2+FlxQdXyEfwRV/unWm6MX6pKy3GBX+qspmYh+hV57PxMFdp41I4Z8A8NZqpAYYaIwC71nFKYrDOKbRkuAOARdFUP6nKuGzsVcSRiy76orSVnO7E3a 9YPvv5qZ iQGLadMj5TZL4DYKcdSCPkOqIMnVdIPQvvwzZadZDREXyw9BcQ4kbN9XWO9nCiEnS0053joAkVv05rRlgaNsopbzH/CTemUy2HyMPkD65sql8WNU9/dJhdULnfQp7tWNmt27+T3IcBP98RTBLBGhgo2Sad9fhFm7sQQy/4qWQLnbjphOKkKsZmuCMDCA4Esutluq0gShlZkX4/eMGq1zjfiHH9yZEI84IWPzq0+h9asxpb4/Eoy9aQFtGiV9kBfjPFmT+w8cMzhS3XZpnELnUx6jFMu883cBehLIYmb0V0QaCAZTCZ8tXpmKDRB92AxBvnR2HtqrnAzosvyqZurUZNkhMM6QIpMkSQ8BqV78GKy6wK1evy9Hx0UWRbcpNK4bqtTae2fBEv4FvVHJNt4gwp+3vnmvM88UsEU9eHqba3g3njQOJ0EkY88tbnq9leaHBkqKQ/pqm4NQQUaBD+GwqOY3Av37eaos86MyFgAllVivRwys= X-Bogosity: Ham, tests=bogofilter, spamicity=0.012909, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat, Mar 22, 2025 at 01:00:08AM +0000, Al Viro wrote: > On Fri, Mar 21, 2025 at 09:45:39AM +0100, Christian Brauner wrote: > > > Afaict, the only way this data race can happen is if we jump to the > > cleanup label and then reset current->fs->in_exec. If the execve was > > successful there's no one to race us with CLONE_FS obviously because we > > took down all other threads. > > Not really. > > 1) A enters check_unsafe_execve(), sets ->in_exec to 1 > 2) B enters check_unsafe_execve(), sets ->in_exec to 1 > 3) A calls exec_binprm(), fails (bad binary) > 4) A clears ->in_exec > 5) C calls clone(2) with CLONE_FS and spawns D - ->in_exec is 0 > 6) B gets through exec_binprm(), kills A and C, but not D. > 7) B clears ->in_exec, returns > > Result: B and D share ->fs, B runs suid binary. > > Had (5) happened prior to (2), (2) wouldn't have set ->in_exec; > had (5) happened prior to (4), clone() would've failed; had > (5) been delayed past (6), there wouldn't have been a thread > to call clone(). > > But in the window between (4) and (6), clone() doesn't see > execve() in progress and check_unsafe_execve() has already > been done, so it hadn't seen the extra thread. Eewww, you're right. That's ugly as hell.