From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66F44C36001 for ; Sat, 22 Mar 2025 01:00:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0936C280002; Fri, 21 Mar 2025 21:00:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 04305280001; Fri, 21 Mar 2025 21:00:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E7499280002; Fri, 21 Mar 2025 21:00:13 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id C92D3280001 for ; Fri, 21 Mar 2025 21:00:13 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 4D53A1A0891 for ; Sat, 22 Mar 2025 01:00:14 +0000 (UTC) X-FDA: 83247380748.12.DF58A3E Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) by imf16.hostedemail.com (Postfix) with ESMTP id 3AC1A180012 for ; Sat, 22 Mar 2025 01:00:12 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=linux.org.uk header.s=zeniv-20220401 header.b=uBjMFXhd; dmarc=pass (policy=none) header.from=zeniv.linux.org.uk; spf=none (imf16.hostedemail.com: domain of viro@ftp.linux.org.uk has no SPF policy when checking 62.89.141.173) smtp.mailfrom=viro@ftp.linux.org.uk ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742605212; a=rsa-sha256; cv=none; b=kPSBzEETaV4gApadvv4mdXe/2t4WIaq9YGvycPAvBqB6HukPyEHbc/BhDCqPMHNYNKvK35 mwPMoIPYK2if/Oj4rq326hEMBsLcyf+kBJJptmRDnBYI4lbd6TXmWYEBucto6WjVeuujXT OOky2suTvZrtP3DbbBXF3vfbNFywby8= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=linux.org.uk header.s=zeniv-20220401 header.b=uBjMFXhd; dmarc=pass (policy=none) header.from=zeniv.linux.org.uk; spf=none (imf16.hostedemail.com: domain of viro@ftp.linux.org.uk has no SPF policy when checking 62.89.141.173) smtp.mailfrom=viro@ftp.linux.org.uk ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742605212; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=brVpSmMBxEBHe/mauCDyz1l9dPAg6klXWq2o5u4LmD0=; b=Fg+e0q0kn0k8VQP7F8jQepoiBLdSuew/B0M660X/+H858l+0GgfoCWazB6NPx+SPVeJ6qM 4EbgsIWh9NJSON+StGGMzTPBtBhl2kCx4210f2abJMZFuw7/LXX0InoE6Lg95ISjLOrbRq 61nLNO7dap0DsntEL9INq/qfjNfycHs= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=brVpSmMBxEBHe/mauCDyz1l9dPAg6klXWq2o5u4LmD0=; b=uBjMFXhdb8kmVGniBWcZRkdmka uPsjak1F4yycbmRSvzN4HYfZUCWqgHRiryKh2BtTL6rEI6XrJXCDb/oxMqnyvFrPP4WWaSGuuR36J 4fz7V6XnJddzdPMl6WjJeF2LxdM/n8cgdPZU+AGQB7MB2KoZVig1D6lGagBxS4SP5+H0WngvB4f94 26igtjOdyFJvUnrEfyhisD0R66Wf7u4out/AV6b85NAKWoiTuD/P7QGiFmnXNMf9xUQ729FYP/okA apSO1mpMlL5rQ0HViIQEBMIcVoc67k40HQSglhtrk1JbUsyLb+Nau6FsLZ4umzp0gc4XSxmLVP5aK S2+pOOcA==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.98.1 #2 (Red Hat Linux)) id 1tvnDc-0000000BHcc-410J; Sat, 22 Mar 2025 01:00:09 +0000 Date: Sat, 22 Mar 2025 01:00:08 +0000 From: Al Viro To: Christian Brauner Cc: Kees Cook , Oleg Nesterov , jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) Message-ID: <20250322010008.GG2023217@ZenIV> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <202503201225.92C5F5FB1@keescook> <20250321-abdecken-infomaterial-2f373f8e3b3c@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250321-abdecken-infomaterial-2f373f8e3b3c@brauner> X-Rspamd-Queue-Id: 3AC1A180012 X-Stat-Signature: ntky7s1djtxgf6rkqdjyknbm1wwmsedn X-Rspam-User: X-Rspamd-Server: rspam06 X-HE-Tag: 1742605212-40579 X-HE-Meta: U2FsdGVkX18+naXVSBn+fgiiO+ahjXb3SZxg1mZYCqIEptcHCDrfKHSBDM8Z8I/XJ1ITxXRq9GO8nsVpd+vAioG0fCpt86DgUm+dV+fucFbTpG3+xwZEAUYx+eZpKyrdhv2zOBCLWZ0M8ShsUv9EmkmL2zkpAM9QrVVy/8LZLq2SB79TS+oKL6TgMttUnlCDHF/EzHPlQdoZJYso2flSne+dqFcdCJOLxkA0OmgvWi7zP91rRPuSrRvw97QUCH0jJPNMoqLCBvvFT+s5uOrnjcGRWUH3FwdF6j0nHRydayVw4oboWv7fnunjd3rvOilX6SGVj2ueeg9T4s2zGZTR9n705+OjZ0CJCsG4cgghRrEuOKgOMPMcYImAi82UWXSaH+8v/BmPbA7CEzseefScEJPh9Mvpct/zqO6868abchnZ1KaS9d7PNaXpcwECUNxZrZ60IJe9tey7f38Bcq6nmjCB4Y8u+gdGViaJzN4NqCauF7ucTGC/PayAcJ7sufVR8VDhGXQzmQE1/mLB0I8gbVsaoAughxzCSUqArBO16QhAmKu2sFwy3Go4rYZlRwDcf455OEbx1xB6Gxh/N7fQkyJLvtQA4xPzE0IEmud3UtXFF2qzLGIEHaIWsLv5EBbf14XtoC6sWAQVbGdMaSn0mOmcJqdOSfT995XePhGhAt0ld99ItYEFLp4KWenOK2ZAtF9pNNwCcVdHkE/ycqCWfi2/yw63/qjB/nkiwRLG9+n/ea3VVssJocZPRQYWQACpFUtUycp4cTyO2x9hOy54ZHcezHwjnLEd2R3sH3R+I4HQg0rjyYKXzUS7mHcSbPwUTvUqr5GMsI5eWBFXntCP1tzKTaiQ8GedFq+DfhdQFhwy30W3MbWrOBXDnu24Xc7lmO2GpVvsiErE6UBIWsUgIH7WvJdwc7m69Rn1HBNuSowMrC11LdJSypiuVbKEM9b3BvIsibvnicym+zj5vam VB082hcx ikewX5hvpmM4FHJcFXUNwsa4fX7tBBSyguViOoQss/KB/1Q46EDXljLEhD3zphJz+BTB23goSqIoX60kynRWyIsFlzS1UEd0IkcKvwELViu2rkxR3k0AHcf+L/WyP8j2Gb/7uAJGDmLliYibgYZLPkRzURpNDLbJwoGyp5b+yMFSUWzmipujzKs54Q2OVVxVUFXQIRJjOrY3qBuzL5eMiJ+dPoVJpMH0NISaVQsXPe1ZnDFF05UR3+yKEzWIQ5sTBOm2BYFZ4PLyT6/ffOMtGVzYazM8++QCBanrgDaZ86dUGn/DsAyleGGUuUG58Np1v0JDcyPrdqPn1xrjSUeWCd8JgRQdnbXObiJ0fbvhTdlX0e8/I6BgZtl0v9rn2ZdzrwhSvbCNJhVvEjZXAOQb7KuEGGHmUnHv9k7fv3uWIE+n5BRac7IU+JXFNGBVnyz68AOabwlWb25VaQPDMtW0WfB2q1tRk8snXgaYKmD6mP8unExiNXQKGYDNDLFkRBXVBlHW4+R66QEB5Ihx3B8nboaglNqAh0GJgwcudmKOCErrWaSuM2Zapulf6OTUNE48Ft9y2BzdPJua8JoFGDaHtKhacLawjUtzetPtWijWZwCSoMp1B0whAI97HwQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.211794, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Mar 21, 2025 at 09:45:39AM +0100, Christian Brauner wrote: > Afaict, the only way this data race can happen is if we jump to the > cleanup label and then reset current->fs->in_exec. If the execve was > successful there's no one to race us with CLONE_FS obviously because we > took down all other threads. Not really. 1) A enters check_unsafe_execve(), sets ->in_exec to 1 2) B enters check_unsafe_execve(), sets ->in_exec to 1 3) A calls exec_binprm(), fails (bad binary) 4) A clears ->in_exec 5) C calls clone(2) with CLONE_FS and spawns D - ->in_exec is 0 6) B gets through exec_binprm(), kills A and C, but not D. 7) B clears ->in_exec, returns Result: B and D share ->fs, B runs suid binary. Had (5) happened prior to (2), (2) wouldn't have set ->in_exec; had (5) happened prior to (4), clone() would've failed; had (5) been delayed past (6), there wouldn't have been a thread to call clone(). But in the window between (4) and (6), clone() doesn't see execve() in progress and check_unsafe_execve() has already been done, so it hadn't seen the extra thread. IOW, it really is racy. It's a counter, not a flag.