Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp202406yba; Sat, 30 Mar 2019 19:36:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqxwSradFimN4EBooJbe3Bzr54nyQJF9kSIhtOI9CLsOY6rxwu2JV3nQiDGkHiB91mFm5ZEB X-Received: by 2002:a17:902:7d81:: with SMTP id a1mr50177381plm.202.1553999819687; Sat, 30 Mar 2019 19:36:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553999819; cv=none; d=google.com; s=arc-20160816; b=HWpzdFJ6emgTY/zYVs239LC16SH+L8gcm6RAigBfBRA5QYRE7ViIXmbrihzJSk+IKL I/5LMcOXKaAgUZXXvTIF9UNvMJ5qgoM+Cvtz+d1ba+mb1BOUT3X45XxVm1JYfzUjI399 Ee6LyKJnYzGeaE5+7sxUTx4urQt1DqJp4GFe5TaHSxhc0rZixusU+Ia5Pqk0XPlzBHnz p6hcKTyrR3x4P9otmkvEg4Y/RWsUVu+lcY8N4/o5MxXslJrvQ4CRdqF3OTNlV0rudTmy 4C44TNtzVmcNIrZvEsdpr5D5aYkchvrkiXa3IXp7HAax4TrnlGgLuywTIBLtZ4WAokCI q6wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=XlMJg4yWnpLZFMd4RJOv7kwwDZAwp1zKNiaOdaLll+E=; b=MCDf5Jhmd4eeSgHIC3YcBLXubX9Z5SQnuL9VAbTLbyyWC2J6sMmb3Hc9/J+1enhbpM T4RYWzUSKITH6i0dFQpDYbraEbgpFRAdK0Fz20STTEQpRAWFMDYV1e51/GHCCZ++eVI/ rS9ptTH2Z/LaZ+cT8kXxhxguu+O8Zb6h39X6mm/6DJcVaq0z5cOPyvhy7b3EhiONzA4q ZmWR+Hizy2XnwdjGhcuoOQZEf90Yb3c/tgkE+IzhXEdjKaCW3hYGaCJHF+urakmBJ12H +A6C0/SEsfhcVgSg6Ut9dtcv3/FJSb02h/YpSNI9yBII+CoXU8yv04F4PP+YXLgxRsCE 2Q1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lMGtnVyH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g5si5561021plt.77.2019.03.30.19.36.42; Sat, 30 Mar 2019 19:36:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lMGtnVyH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731083AbfCaCfZ (ORCPT + 99 others); Sat, 30 Mar 2019 22:35:25 -0400 Received: from mail-oi1-f193.google.com ([209.85.167.193]:45705 "EHLO mail-oi1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730061AbfCaCfZ (ORCPT ); Sat, 30 Mar 2019 22:35:25 -0400 Received: by mail-oi1-f193.google.com with SMTP id y84so4598580oia.12 for ; Sat, 30 Mar 2019 19:35:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XlMJg4yWnpLZFMd4RJOv7kwwDZAwp1zKNiaOdaLll+E=; b=lMGtnVyHrRJMnsz0kWbg3+dRaRE8wZ7N0nWFFfAoJdE4JGHcK01QX+fu/7vPo5DC30 68qJgS64pLys3QUaKf5Lu9ZR01iQ8pNdLpgfB3fFFSC567Zi0mPkZF0NAsqZzd1KlrQb LqtkEf9Ct+bzMLNUlY13uVKJ/yp0qlqshdxtxYlnSY8IbXxcjpZ/JTgIFpNF38S3undD 0hCogXcaOQKd6pghv1YLzatLgWCmj46aIsoCkjQRrWO21L8yrIVWZU0kwWEsCLgxI0+3 ZR/6YUDX77GCz8Cxfb8KKSSTurpY4HfgNnDapZNGupbnQ+VOM2nE+z2d9wsDYM07KvIS ooGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XlMJg4yWnpLZFMd4RJOv7kwwDZAwp1zKNiaOdaLll+E=; b=Nol4kd6W6ZUzrT8J7PiZtB3nsTNncBAS/YU4X5zxMTNrjE75anLojonhsL2VAQ8k96 u5Y4hurZJucNsV+2kiU2mnP8uCztvVOlbdJtnsXUeO4TuqdKulqpztEwVpQL/U0BG/xD o4ccydvatJPyM0l/J/vIujSLn8t1awMy9EaNBdb1+jBg6+mlHuy4GDp8ruXbBcYe5WsV fqaPvbQhABKa/j0pvO1DG2nVbTT93HwhAwe3nX8mEP+oQ2n71ifzw49fGgQo3zvr8ESN 8jPpZgp4OTJtzNXzrzeeX6mpz2O7l+PqyJ5HimhsAu9rBFgkmRIA4S+SzNipcICgdzr9 bmRQ== X-Gm-Message-State: APjAAAW6bkFHTzXHe7H+5XuWWTzm+MwPcGHp8HsAOpj94JyfcQEnzJTp nUXisd+w/QyLkpLhhbJfte5qCxzpGAUc5zDaaW6o2g== X-Received: by 2002:aca:e4cc:: with SMTP id b195mr8790357oih.39.1553999724637; Sat, 30 Mar 2019 19:35:24 -0700 (PDT) MIME-Version: 1.0 References: <20190329155425.26059-1-christian@brauner.io> <20190331010716.GA189578@google.com> In-Reply-To: <20190331010716.GA189578@google.com> From: Jann Horn Date: Sun, 31 Mar 2019 04:34:57 +0200 Message-ID: Subject: Re: [PATCH v2 0/5] pid: add pidfd_open() To: Joel Fernandes Cc: Linus Torvalds , Daniel Colascione , Christian Brauner , Andrew Lutomirski , David Howells , "Serge E. Hallyn" , Linux API , Linux List Kernel Mailing , Arnd Bergmann , "Eric W. Biederman" , Konstantin Khlebnikov , Kees Cook , Alexey Dobriyan , Thomas Gleixner , Michael Kerrisk-manpages , Jonathan Kowalski , "Dmitry V. Levin" , Andrew Morton , Oleg Nesterov , Nagarathnam Muthusamy , Aleksa Sarai , Al Viro Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 31, 2019 at 3:07 AM Joel Fernandes wrote: > As I said I don't really care about "pidfd" solving any racing issues with > /proc//* accesses - because I still find it hard to imagine that the pid > number can be reused easily from the time you know which to deal with, > to the time when you want to read, say, the /proc//status file. There have been several Android security bugs related to PID reuse. > I am yet > to see any real data to show that such overflow happens - you literally need > 32k process deaths and forks in such a short time frame This seems very inaccurate to me. The time frame in which the PID has to wrap around is not the time between process death and use of the PID. It is the time between *the creation* of the old process and the use of the PID. Consider the following sequence of events: - process A starts with PID 1000 - some time passes in which some process repeatedly forks, with PIDs wrapping around to 999 - process B starts an attempt to access process A (using PID 1000) - process A dies - process C spawns with PID 1000 - process B accidentally accesses process C Also, it's probably worth clarifying that here, "processes" means "threads". If there are a lot of active processes, that reduces the number of times you have to clone() to get the PID to wrap around. > and on 64-bit, that > number is really high Which number is really high on 64-bit? Checking on a walleye phone, pid_max is still only 32768: walleye:/ # cat /proc/sys/kernel/pid_max 32768 walleye:/ # > that its not even an issue. And if this is really an > issue, then you can just open a handle to /proc/ at process creation > time and keep it around. If the is reused, you can still use openat(2) > on that handle without any races. But not if you want to implement something like killall in a race-free way, for example.