Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110801192245.GA7202@albatros>
Date: Mon, 1 Aug 2011 23:22:45 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: Ingo Molnar <mingo@...e.hu>,
	"Paul E. McKenney" <paul.mckenney@...aro.org>,
	Manuel Lauss <manuel.lauss@...glemail.com>,
	linux-kernel@...r.kernel.org, Richard Weinberger <richard@....at>,
	torvalds@...ux-foundation.org, Marc Zyngier <maz@...terjones.org>
Subject: Re: Re: initcall dependency problem (ns vs.
 threads)

On Mon, Aug 01, 2011 at 12:07 -0700, Andrew Morton wrote:
> On Mon, 1 Aug 2011 23:03:41 +0400
> Vasiliy Kulikov <segoon@...nwall.com> wrote:
> 
> > > Are we talking about init_ipc_ns.ids[] here?  If so, did you try
> > > initializing the three rwsems at compile-time?
> > > 
> > > That's rather a nasty hack though.  It'd be better to run the mystery
> > > init function before starting the threads.
> > 
> > Looks like it solves the race.
> 
> What patch are you talking about here?

Sorry for short sentences :)  I tried the patch you've suggested -
initialize rw_mutex in the init_ipc_ns declaration.  Surely, it solves a
specific race.  As no kernel threads actually use shm, other fields are
not needed to be initialized before do_initcall().

However, it is a bit ugly as it divides namespace initialization code
into init_ipc_ns initialization and other namespaces.  It's better to
use the same code for all namespaces (as it currently is).


> >  However, I think it should be solved on
> > another level.
> 
> What level?

I mean it is a bug of _implicit_ assume that kthreads don't use ns
related information.  So, AFAICS, it can be fixed 2 ways:

1) Move creations of kernel threads somewhere after namespaces
initializations in the init chain.

2) Deferring threads creation until all ns initialization is done.


> >  Other bugs might be hidden with this race.
> 
> What bugs?

I don't speak about specific bugs (I know the only one, which is this shm
related bug), but I suppose some threads might use some ns related
information as well.  At least I don't see whether it is somehow
explicitly denied currently.

Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.