2012-08-02 10:36:00

by Richard Weinberger

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Mar 23, 2012 at 8:08 PM, Kees Cook <[email protected]> wrote:
> Notify get_robust_list users that the syscall is going away.
>
> Suggested-by: Thomas Gleixner <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---

I'm using this system call in an application and noticed that's marked
as deprecated now.
My application collects all kind of information from crashing programs.
It's installed in /proc/sys/kernel/core_pattern.

If program X is crashing it executes get_robust_list(X) to get the
address of the robust list
and reads the list from /proc/X/mem.

Is there another way to get the robust list from another program (by it's pid)?

--
Thanks,
//richard


2012-08-02 11:11:58

by Eric W. Biederman

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

richard -rw- weinberger <[email protected]> writes:

> On Fri, Mar 23, 2012 at 8:08 PM, Kees Cook <[email protected]> wrote:
>> Notify get_robust_list users that the syscall is going away.
>>
>> Suggested-by: Thomas Gleixner <[email protected]>
>> Signed-off-by: Kees Cook <[email protected]>
>> ---
>
> I'm using this system call in an application and noticed that's marked
> as deprecated now.
> My application collects all kind of information from crashing programs.
> It's installed in /proc/sys/kernel/core_pattern.
>
> If program X is crashing it executes get_robust_list(X) to get the
> address of the robust list
> and reads the list from /proc/X/mem.
>
> Is there another way to get the robust list from another program (by it's pid)?

The folks doing checkpoint/restart claim to not need this, so there
might be a way either that or they just haven't hit this problem yet.

What you are doing sounds like a reasonable use of get_robust_list to me.

Eric

2012-08-03 10:17:47

by Richard Weinberger

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Thu, Aug 2, 2012 at 1:11 PM, Eric W. Biederman <[email protected]> wrote:
> richard -rw- weinberger <[email protected]> writes:
>
>> On Fri, Mar 23, 2012 at 8:08 PM, Kees Cook <[email protected]> wrote:
>>> Notify get_robust_list users that the syscall is going away.
>>>
>>> Suggested-by: Thomas Gleixner <[email protected]>
>>> Signed-off-by: Kees Cook <[email protected]>
>>> ---
>>
>> I'm using this system call in an application and noticed that's marked
>> as deprecated now.
>> My application collects all kind of information from crashing programs.
>> It's installed in /proc/sys/kernel/core_pattern.
>>
>> If program X is crashing it executes get_robust_list(X) to get the
>> address of the robust list
>> and reads the list from /proc/X/mem.
>>
>> Is there another way to get the robust list from another program (by it's pid)?
>
> The folks doing checkpoint/restart claim to not need this, so there
> might be a way either that or they just haven't hit this problem yet.
>
> What you are doing sounds like a reasonable use of get_robust_list to me.
>

CRIU folks, how do you deal with futex robust lists?

--
Thanks,
//richard

2012-08-03 11:02:55

by Cyrill Gorcunov

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 03, 2012 at 12:17:43PM +0200, richard -rw- weinberger wrote:
> On Thu, Aug 2, 2012 at 1:11 PM, Eric W. Biederman <[email protected]> wrote:
> > richard -rw- weinberger <[email protected]> writes:
> >
> >> On Fri, Mar 23, 2012 at 8:08 PM, Kees Cook <[email protected]> wrote:
> >>> Notify get_robust_list users that the syscall is going away.
> >>>
> >>> Suggested-by: Thomas Gleixner <[email protected]>
> >>> Signed-off-by: Kees Cook <[email protected]>
> >>> ---
> >>
> >> I'm using this system call in an application and noticed that's marked
> >> as deprecated now.
> >> My application collects all kind of information from crashing programs.
> >> It's installed in /proc/sys/kernel/core_pattern.
> >>
> >> If program X is crashing it executes get_robust_list(X) to get the
> >> address of the robust list
> >> and reads the list from /proc/X/mem.
> >>
> >> Is there another way to get the robust list from another program (by it's pid)?
> >
> > The folks doing checkpoint/restart claim to not need this, so there
> > might be a way either that or they just haven't hit this problem yet.
> >
> > What you are doing sounds like a reasonable use of get_robust_list to me.
> >
>
> CRIU folks, how do you deal with futex robust lists?

Well, I believe we were over-optimistic in claiming that we don't need this
syscall (to be fair I think we simply yet not faced the problem Eric points).
So we need some way to fetch this address and set it back. If get_robust_list
get deprecated maybe we could print it out in /proc/pid/stat or something?

Cyrill

2012-08-03 11:19:29

by Richard Weinberger

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 3, 2012 at 1:02 PM, Cyrill Gorcunov <[email protected]> wrote:
>> >> I'm using this system call in an application and noticed that's marked
>> >> as deprecated now.
>> >> My application collects all kind of information from crashing programs.
>> >> It's installed in /proc/sys/kernel/core_pattern.
>> >>
>> >> If program X is crashing it executes get_robust_list(X) to get the
>> >> address of the robust list
>> >> and reads the list from /proc/X/mem.
>> >>
>> >> Is there another way to get the robust list from another program (by it's pid)?
>> >
>> > The folks doing checkpoint/restart claim to not need this, so there
>> > might be a way either that or they just haven't hit this problem yet.
>> >
>> > What you are doing sounds like a reasonable use of get_robust_list to me.
>> >
>>
>> CRIU folks, how do you deal with futex robust lists?
>
> Well, I believe we were over-optimistic in claiming that we don't need this
> syscall (to be fair I think we simply yet not faced the problem Eric points).
> So we need some way to fetch this address and set it back. If get_robust_list
> get deprecated maybe we could print it out in /proc/pid/stat or something?

Kees, you said get_robust_list() can be used to bypass ASLR.
How? What makes it worse than /proc/pid/maps?

If the robust list address itself is bad, removing get_robust_list()
and putting the
information into /proc is useless.

--
Thanks,
//richard

2012-08-03 11:27:52

by Cyrill Gorcunov

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 03, 2012 at 01:19:24PM +0200, richard -rw- weinberger wrote:
> >>
> >> CRIU folks, how do you deal with futex robust lists?
> >
> > Well, I believe we were over-optimistic in claiming that we don't need this
> > syscall (to be fair I think we simply yet not faced the problem Eric points).
> > So we need some way to fetch this address and set it back. If get_robust_list
> > get deprecated maybe we could print it out in /proc/pid/stat or something?
>
> Kees, you said get_robust_list() can be used to bypass ASLR.
> How? What makes it worse than /proc/pid/maps?
>
> If the robust list address itself is bad, removing get_robust_list()
> and putting the information into /proc is useless.

Look, the /proc entry might check for some CAP and do not allow
a regular user to fetch this address.

Cyrill

2012-08-03 11:30:34

by Richard Weinberger

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 3, 2012 at 1:27 PM, Cyrill Gorcunov <[email protected]> wrote:
> On Fri, Aug 03, 2012 at 01:19:24PM +0200, richard -rw- weinberger wrote:
>> >>
>> >> CRIU folks, how do you deal with futex robust lists?
>> >
>> > Well, I believe we were over-optimistic in claiming that we don't need this
>> > syscall (to be fair I think we simply yet not faced the problem Eric points).
>> > So we need some way to fetch this address and set it back. If get_robust_list
>> > get deprecated maybe we could print it out in /proc/pid/stat or something?
>>
>> Kees, you said get_robust_list() can be used to bypass ASLR.
>> How? What makes it worse than /proc/pid/maps?
>>
>> If the robust list address itself is bad, removing get_robust_list()
>> and putting the information into /proc is useless.
>
> Look, the /proc entry might check for some CAP and do not allow
> a regular user to fetch this address.

We could also add another check to get_robust_list().
It does already ptrace_may_access().

--
Thanks,
//richard

2012-08-03 11:35:45

by Cyrill Gorcunov

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 03, 2012 at 01:30:31PM +0200, richard -rw- weinberger wrote:
> On Fri, Aug 3, 2012 at 1:27 PM, Cyrill Gorcunov <[email protected]> wrote:
> > On Fri, Aug 03, 2012 at 01:19:24PM +0200, richard -rw- weinberger wrote:
> >> >>
> >> >> CRIU folks, how do you deal with futex robust lists?
> >> >
> >> > Well, I believe we were over-optimistic in claiming that we don't need this
> >> > syscall (to be fair I think we simply yet not faced the problem Eric points).
> >> > So we need some way to fetch this address and set it back. If get_robust_list
> >> > get deprecated maybe we could print it out in /proc/pid/stat or something?
> >>
> >> Kees, you said get_robust_list() can be used to bypass ASLR.
> >> How? What makes it worse than /proc/pid/maps?
> >>
> >> If the robust list address itself is bad, removing get_robust_list()
> >> and putting the information into /proc is useless.
> >
> > Look, the /proc entry might check for some CAP and do not allow
> > a regular user to fetch this address.
>
> We could also add another check to get_robust_list().
> It does already ptrace_may_access().

Yes, and I'm definitely not against that ;) The problem is that this
syscall was marked as deprecated and if people want to drop it we
need to find a way to provide this address back in a sake of c/r.

If c/r is the only _one_ who needs this facility than providing the
address via /proc might be worth thing to do (since I can wrap
it with CONFIG_CHECKPOINT_RESTORE and a regular kernel won't see
this snippet at all).

Cyrill

2012-08-03 11:38:49

by Richard Weinberger

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 3, 2012 at 1:35 PM, Cyrill Gorcunov <[email protected]> wrote:
> On Fri, Aug 03, 2012 at 01:30:31PM +0200, richard -rw- weinberger wrote:
>> On Fri, Aug 3, 2012 at 1:27 PM, Cyrill Gorcunov <[email protected]> wrote:
>> > On Fri, Aug 03, 2012 at 01:19:24PM +0200, richard -rw- weinberger wrote:
>> >> >>
>> >> >> CRIU folks, how do you deal with futex robust lists?
>> >> >
>> >> > Well, I believe we were over-optimistic in claiming that we don't need this
>> >> > syscall (to be fair I think we simply yet not faced the problem Eric points).
>> >> > So we need some way to fetch this address and set it back. If get_robust_list
>> >> > get deprecated maybe we could print it out in /proc/pid/stat or something?
>> >>
>> >> Kees, you said get_robust_list() can be used to bypass ASLR.
>> >> How? What makes it worse than /proc/pid/maps?
>> >>
>> >> If the robust list address itself is bad, removing get_robust_list()
>> >> and putting the information into /proc is useless.
>> >
>> > Look, the /proc entry might check for some CAP and do not allow
>> > a regular user to fetch this address.
>>
>> We could also add another check to get_robust_list().
>> It does already ptrace_may_access().
>
> Yes, and I'm definitely not against that ;) The problem is that this
> syscall was marked as deprecated and if people want to drop it we
> need to find a way to provide this address back in a sake of c/r.
>
> If c/r is the only _one_ who needs this facility than providing the
> address via /proc might be worth thing to do (since I can wrap
> it with CONFIG_CHECKPOINT_RESTORE and a regular kernel won't see
> this snippet at all).

Please see my first mail above.
c/r is not the only user. :-P

--
Thanks,
//richard

2012-08-03 12:39:37

by Pavel Emelyanov

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On 08/03/2012 03:02 PM, Cyrill Gorcunov wrote:
> On Fri, Aug 03, 2012 at 12:17:43PM +0200, richard -rw- weinberger wrote:
>> On Thu, Aug 2, 2012 at 1:11 PM, Eric W. Biederman <[email protected]> wrote:
>>> richard -rw- weinberger <[email protected]> writes:
>>>
>>>> On Fri, Mar 23, 2012 at 8:08 PM, Kees Cook <[email protected]> wrote:
>>>>> Notify get_robust_list users that the syscall is going away.
>>>>>
>>>>> Suggested-by: Thomas Gleixner <[email protected]>
>>>>> Signed-off-by: Kees Cook <[email protected]>
>>>>> ---
>>>>
>>>> I'm using this system call in an application and noticed that's marked
>>>> as deprecated now.
>>>> My application collects all kind of information from crashing programs.
>>>> It's installed in /proc/sys/kernel/core_pattern.
>>>>
>>>> If program X is crashing it executes get_robust_list(X) to get the
>>>> address of the robust list
>>>> and reads the list from /proc/X/mem.
>>>>
>>>> Is there another way to get the robust list from another program (by it's pid)?
>>>
>>> The folks doing checkpoint/restart claim to not need this, so there
>>> might be a way either that or they just haven't hit this problem yet.
>>>
>>> What you are doing sounds like a reasonable use of get_robust_list to me.
>>>
>>
>> CRIU folks, how do you deal with futex robust lists?
>
> Well, I believe we were over-optimistic in claiming that we don't need this
> syscall (to be fair I think we simply yet not faced the problem Eric points).
> So we need some way to fetch this address and set it back. If get_robust_list
> get deprecated maybe we could print it out in /proc/pid/stat or something?

I agree with Cyrill, sorry for the confusion last time. We do need some way
to get the list location. The exact API is not critical, we can work with
either of the mentioned above.

> Cyrill
> .
>

2012-08-03 12:59:06

by Eric W. Biederman

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

The permissions on the syscall were fixed them withR ptrace_may_access.

We have identified two legitimate use cases.

It looks like it is time for someone to generate the path to remove the depreciation.

Who is up for writing and testing that patch?

Eric

2012-08-03 13:00:33

by Richard Weinberger

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

On Fri, Aug 3, 2012 at 2:58 PM, Eric W. Biederman <[email protected]> wrote:
> The permissions on the syscall were fixed them withR ptrace_may_access.
>
> We have identified two legitimate use cases.
>
> It looks like it is time for someone to generate the path to remove the depreciation.
>
> Who is up for writing and testing that patch?

I'll send a patch.

--
Thanks,
//richard

2012-08-03 17:16:54

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v2] futex: mark get_robust_list as deprecated

Right, I'm satisfied with the ptrace_may_access check that was added.
The deprecation was suggested as an additional change. I'm okay
keeping the syscall if someone actually needs it. :)

-Kees

On Fri, Aug 3, 2012 at 5:58 AM, Eric W. Biederman <[email protected]> wrote:
> The permissions on the syscall were fixed them withR ptrace_may_access.
>
> We have identified two legitimate use cases.
>
> It looks like it is time for someone to generate the path to remove the depreciation.
>
> Who is up for writing and testing that patch?
>
> Eric
>



--
Kees Cook
Chrome OS Security