[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG48ez3nYr7dj340Rk5-QbzhsFq0JTKPf2MvVJ1-oi1Zug1ftQ@mail.gmail.com>
Date: Thu, 2 Apr 2020 01:37:13 +0200
From: Jann Horn <jannh@...gle.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>, Alan Stern <stern@...land.harvard.edu>,
Andrea Parri <parri.andrea@...il.com>, Will Deacon <will@...nel.org>,
Peter Zijlstra <peterz@...radead.org>, Boqun Feng <boqun.feng@...il.com>,
Nicholas Piggin <npiggin@...il.com>, David Howells <dhowells@...hat.com>,
Jade Alglave <j.alglave@....ac.uk>, Luc Maranget <luc.maranget@...ia.fr>,
"Paul E. McKenney" <paulmck@...nel.org>, Akira Yokosawa <akiyks@...il.com>,
Daniel Lustig <dlustig@...dia.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Adam Zabrocki <pi3@....com.pl>,
kernel list <linux-kernel@...r.kernel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>, Oleg Nesterov <oleg@...hat.com>,
Andy Lutomirski <luto@...capital.net>, Bernd Edlinger <bernd.edlinger@...mail.de>,
Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org>,
stable <stable@...r.kernel.org>
Subject: Re: [PATCH] signal: Extend exec_id to 64bits
+memory model folks because this seems like a pretty sharp corner
On Wed, Apr 1, 2020 at 10:50 PM Eric W. Biederman <ebiederm@...ssion.com> wrote:
> Replace the 32bit exec_id with a 64bit exec_id to make it impossible
> to wrap the exec_id counter. With care an attacker can cause exec_id
> wrap and send arbitrary signals to a newly exec'd parent. This
> bypasses the signal sending checks if the parent changes their
> credentials during exec.
>
> The severity of this problem can been seen that in my limited testing
> of a 32bit exec_id it can take as little as 19s to exec 65536 times.
> Which means that it can take as little as 14 days to wrap a 32bit
> exec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7
> days. Even my slower timing is in the uptime of a typical server.
> Which means self_exec_id is simply a speed bump today, and if exec
> gets noticably faster self_exec_id won't even be a speed bump.
>
> Extending self_exec_id to 64bits introduces a problem on 32bit
> architectures where reading self_exec_id is no longer atomic and can
> take two read instructions. Which means that is is possible to hit
> a window where the read value of exec_id does not match the written
> value. So with very lucky timing after this change this still
> remains expoiltable.
>
> I have updated the update of exec_id on exec to use WRITE_ONCE
> and the read of exec_id in do_notify_parent to use READ_ONCE
> to make it clear that there is no locking between these two
> locations.
>
> Link: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl
> Fixes: 2.3.23pre2
> Cc: stable@...r.kernel.org
> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
> ---
>
> Linus would you prefer to take this patch directly or I could put it in
> a brach and send you a pull request.
>
> fs/exec.c | 2 +-
> include/linux/sched.h | 4 ++--
> kernel/signal.c | 2 +-
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 0e46ec57fe0a..d55710a36056 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1413,7 +1413,7 @@ void setup_new_exec(struct linux_binprm * bprm)
>
> /* An exec changes our domain. We are no longer part of the thread
> group */
> - current->self_exec_id++;
> + WRITE_ONCE(current->self_exec_id, current->self_exec_id + 1);
GCC will generate code for this without complaining, but I think it'll
probably generate a tearing store on 32-bit platforms:
$ cat volatile-8.c
typedef unsigned long long u64;
static volatile u64 n;
void blah(void) {
n = n + 1;
}
$ gcc -O2 -m32 -c -o volatile-8.o volatile-8.c -Wall
$ objdump --disassemble=blah volatile-8.o
[...]
b: 8b 81 00 00 00 00 mov 0x0(%ecx),%eax
11: 8b 91 04 00 00 00 mov 0x4(%ecx),%edx
17: 83 c0 01 add $0x1,%eax
1a: 83 d2 00 adc $0x0,%edx
1d: 89 81 00 00 00 00 mov %eax,0x0(%ecx)
23: 89 91 04 00 00 00 mov %edx,0x4(%ecx)
[...]
$
You could maybe use atomic64_t to work around that? atomic64_read()
and atomic64_set() should be straightforward READ_ONCE() /
WRITE_ONCE() on 64-bit systems while compiling into something more
complicated on 32-bit.
> flush_signal_handlers(current, 0);
> }
> EXPORT_SYMBOL(setup_new_exec);
> diff --git a/include/linux/sched.h b/include/linux/sched.h
> index 04278493bf15..0323e4f0982a 100644
> --- a/include/linux/sched.h
> +++ b/include/linux/sched.h
> @@ -939,8 +939,8 @@ struct task_struct {
> struct seccomp seccomp;
>
> /* Thread group tracking: */
> - u32 parent_exec_id;
> - u32 self_exec_id;
> + u64 parent_exec_id;
> + u64 self_exec_id;
>
> /* Protection against (de-)allocation: mm, files, fs, tty, keyrings, mems_allowed, mempolicy: */
> spinlock_t alloc_lock;
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 9ad8dea93dbb..5383b562df85 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1926,7 +1926,7 @@ bool do_notify_parent(struct task_struct *tsk, int sig)
> * This is only possible if parent == real_parent.
> * Check if it has changed security domain.
> */
> - if (tsk->parent_exec_id != tsk->parent->self_exec_id)
> + if (tsk->parent_exec_id != READ_ONCE(tsk->parent->self_exec_id))
> sig = SIGCHLD;
> }
>
> --
> 2.20.1
>
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
