From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AFAFECAAD8 for ; Sun, 18 Sep 2022 21:27:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CBB75940008; Sun, 18 Sep 2022 17:27:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C44FE940007; Sun, 18 Sep 2022 17:27:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A972F940008; Sun, 18 Sep 2022 17:27:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 95749940007 for ; Sun, 18 Sep 2022 17:27:38 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 6A26A4046D for ; Sun, 18 Sep 2022 21:27:38 +0000 (UTC) X-FDA: 79926492996.07.C61C8BE Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by imf26.hostedemail.com (Postfix) with ESMTP id DB395140006 for ; Sun, 18 Sep 2022 21:27:37 +0000 (UTC) Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 3DF203F476 for ; Sun, 18 Sep 2022 21:27:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1663536456; bh=VBMgryLG1fCHHFs6o9PjHyuHeF2daTdVHmXIfMnp98o=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=UwfoSjuO9SLOGrfLni+oudmzqj24NP5XNhqOrr+qvv6gzyvKyjTNDEMcnBbBiFV4F 6CbpP5aWYVBNXl9QJ9RF3oecaFaeSuCwV4t3JUaEZ9WgyCNL//uM+6tk5F/jyt9uvX vzTB8SUHVy/guqmqLIbyhR7t/3LTiXZloobzpGpGCGgRacxjR+JDgRxhs5OED1pcG1 kBds+I+Nmd87bNj24SU+Ss30RirzImH+61GXd0zncyEdMeAJT8Z//PgsQZHZkdkYLy w4Tn156UMYySmlmaI2MGRBGaQXZHjzvXA2RRHtzIa+MY3iTTxLjU7RQB4QpHawV/rY dDVnPBw7WhidQ== Received: by mail-qt1-f198.google.com with SMTP id v9-20020a05622a188900b0035cc030ca25so7731695qtc.1 for ; Sun, 18 Sep 2022 14:27:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=VBMgryLG1fCHHFs6o9PjHyuHeF2daTdVHmXIfMnp98o=; b=cWEku4vQ0KfU2bbLYtvHb2+XzEGcH4aA86Klh0J5t8yjvnnLzn55Ojj1Qc9IqX6Fpz mnAuZXkQto6v+9s5Uk0oHagT+U7jYKtwPsy2FB3edL8g0aa3pKIgdT3N53YrIyNDWRVU xsWaZQfpJDKHsBor+LQ8fdUTKVgzJUPKfLZs3OuckaaHEMwn1ni5RWvD0a1DbMmf2zhL tfXZd96UVEmkY50jb/udwjXqBylxSwf1ff8fjZ7n0NJZaStOWn5oSJ/zkylybRMO9fOf YE6Fdb6Zm30UpDRurRD3PiCdD8IaOrO/tz5VVEY8hH2IdLRTq8ydo27p59Vd8qrPM/eQ wjwQ== X-Gm-Message-State: ACrzQf1t37ZUG+UML2Sei3oTcaPK6x20Eh4w+hEbwwXXBVqfJQFu2wNd Br/aMM0hgc/7VZbtSsYsFYKexxyXFU+o0XrYA+4kMXFroto10pHCjpgNzQ5ObcCB0izeMjoH1zK 2BsBTIygHoKxY7kPYnn5JpnR8v5Px X-Received: by 2002:a05:622a:d4:b0:35c:e40c:7628 with SMTP id p20-20020a05622a00d400b0035ce40c7628mr3206096qtw.428.1663536454736; Sun, 18 Sep 2022 14:27:34 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7ZWP/HUcZxev2jAyOxgKhUOEApS0yeqyOB7P5V0WSpE41k3bRq3tXcjqskab12IAiiTuoYYQ== X-Received: by 2002:a05:622a:d4:b0:35c:e40c:7628 with SMTP id p20-20020a05622a00d400b0035ce40c7628mr3206075qtw.428.1663536454507; Sun, 18 Sep 2022 14:27:34 -0700 (PDT) Received: from [172.20.4.66] ([65.206.117.195]) by smtp.gmail.com with ESMTPSA id de42-20020a05620a372a00b006b945519488sm11466016qkb.88.2022.09.18.14.27.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 18 Sep 2022 14:27:34 -0700 (PDT) Message-ID: Date: Sun, 18 Sep 2022 18:27:31 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: [PATCH] Fix race condition when exec'ing setuid files Content-Language: en-US To: Kees Cook Cc: Alexander Viro , Eric Biederman , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Valentin Schneider , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20220910211215.140270-1-jorge.merlino@canonical.com> <202209131456.76A13BC5E4@keescook> From: Jorge Merlino In-Reply-To: <202209131456.76A13BC5E4@keescook> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=canonical.com header.s=20210705 header.b=UwfoSjuO; spf=pass (imf26.hostedemail.com: domain of jorge.merlino@canonical.com designates 185.125.188.123 as permitted sender) smtp.mailfrom=jorge.merlino@canonical.com; dmarc=pass (policy=none) header.from=canonical.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1663536458; a=rsa-sha256; cv=none; b=svF7v5U8WeKrNY2pCkg9NXMago05j+RuxuT1U4iI0bh6szsxX4bYZSi1OD5dDQ6rcn6vPd gTy5M2klLtNo4/urgGaOly++1NJ3uDIXNa8fF52MMJDXM9nE7TQvjpvgt3jhWqtQfj/f3+ NihyGzlZlf3XvdjgXdAtJz8kn869Rl4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1663536458; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VBMgryLG1fCHHFs6o9PjHyuHeF2daTdVHmXIfMnp98o=; b=IUgBocx+HsvOdOgIhX0mK6Nxy6wqlHn7XeOMvFoKFehS/cgJoMDvREKfYfQcmPvyhjlkLT bos248aNH3h4mGpJTZToRXkuFFJ8jkK13QCKhrqo5lcfJHq7PP2dzo1BxvXtcMpDLIrppc ESmXMg0Wsg+7m3xtG0l16S4pTSPf2xY= Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=canonical.com header.s=20210705 header.b=UwfoSjuO; spf=pass (imf26.hostedemail.com: domain of jorge.merlino@canonical.com designates 185.125.188.123 as permitted sender) smtp.mailfrom=jorge.merlino@canonical.com; dmarc=pass (policy=none) header.from=canonical.com X-Stat-Signature: 5faqmnzsndiz3xpsaxa4rf1bue5wfnn6 X-Rspamd-Queue-Id: DB395140006 X-Rspamd-Server: rspam03 X-Rspam-User: X-HE-Tag: 1663536457-945331 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: El 13/9/22 a las 19:03, Kees Cook escribió: > Thanks for reporting this and for having a reproducer! > > It looks like this is "failing safe", in the sense that the bug causes > an exec of a setuid binary to not actually change the euid. Is that an > accurate understanding here? Yes, that is correct. >> This patch sort of fixes this by setting a process flag to the parent >> process during the time this race is possible. Thus, if a process is >> forking, it counts an extra user fo the fs_struct as the counter might be >> incremented before the thread is visible. But this is not great as this >> could generate the opposite problem as there may be an external process >> sharing the fs_struct that is masked by some thread that is being counted >> twice. I submit this patch just as an idea but mainly I want to introduce >> this issue and see if someone comes up with a better solution. > > I'll want to spend some more time studying this race, but yes, it looks > like it should get fixed. I'm curious, though, how did you find this > problem? It seems quite unusual to have a high-load heavily threaded > process decide to exec. It was reported to Canonical by a customer. I don't know exactly the circumstances where they see this problem occur in production. Thanks Jorge