Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120311171532.GB10787@dztty>
Date: Sun, 11 Mar 2012 18:15:32 +0100
From: Djalal Harouni <tixxdz@...ndz.org>
To: Alan Cox <alan@...rguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
	Andrew Morton <akpm@...ux-foundation.org>,
	Al Viro <viro@...iv.linux.org.uk>,
	Alexey Dobriyan <adobriyan@...il.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Vasiliy Kulikov <segoon@...nwall.com>,
	Kees Cook <keescook@...omium.org>,
	Solar Designer <solar@...nwall.com>,
	WANG Cong <xiyou.wangcong@...il.com>,
	James Morris <james.l.morris@...cle.com>,
	Oleg Nesterov <oleg@...hat.com>,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, Greg KH <gregkh@...uxfoundation.org>,
	Ingo Molnar <mingo@...e.hu>, Stephen Wilson <wilsons@...rt.ca>,
	"Jason A. Donenfeld" <Jason@...c4.com>
Subject: Re: [PATCH 1/9] exec: add a global execve counter

On Sun, Mar 11, 2012 at 02:03:10PM +0000, Alan Cox wrote:
> > I wonder if the number part of exec_id would even have to be 64-bit. I
> > think I can do about 10000 execves per second if I make the program a
> > small static one - and that's on a fast CPU. And it's a per-thread
> > counter, so you can't scale it with lots of CPU's. So it would take
> > something like four days to wrap. Hmm..
> 
> I don't think an exec id trick works that well here. It needs to bind to
> the actual *object* being used and refcount it in the cases that matter,
> then have a proper way of ensuring we clean up references such as a list
> of objects to zap hooked to each task struct
> 
> So something like
> 
> 
> 	struct foo_node {
> 		struct list_node node;
> 		struct proc_object *ref;
> 	};
> 		
> 	ref = NULL;
> 	if (foo->ptr != NULL
> 		ref = kref_get(foo->ptr);
> 
> And in the task exit paths walk the node list doing a kref_put/NULL
Here I assume that you are talking about the target task.

Yes but proc inode which are created on the fly can also be released by
the reader before the target exits, so do we want to walk the node list
each time release is called by the reader ?

The current implementation tries to track target, but as noted in the
other thread we can just track the reader and in this case we do not need
atomic for task_struct nor for the proc_file_private, a simple u64
comparison will do the job

But perhaps what you propose is better, I'll try to think more about it.

> Add a suitable lock and it ought to be able to generically do that for
> anything you need to clobber.
> 
> You've still got a sort of race however, just as the proposed execid base
> code.  You can pass the fd and access the proc function *as* the exec
IMO the proposed patch do not suffer from this race if we do the propre
permission checks just after setting the exec_id at open, or do permission
checks and then check exec_id at read. And here I'm talking about target
tracking. If we just check reader (current) then I assume that there are no
room for races.

> occurs. Assuming your ref counting is valid and you use new objects after
> the exec that ought to just mean you get the data for the old mm struct,
> which seems fine to me. It's logically equivalent to having asked a
> microsecond before the exec rather than during it.
> 
> Alan
Thanks.

> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

-- 
tixxdz
http://opendz.org

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.