Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6639856ybi; Wed, 29 May 2019 10:41:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqzBgF39e8G6brgV9twJIfJcflmh9/gdRXb4OnHogZpn5U7XexjikXNTzkzzljR30FCm9vJX X-Received: by 2002:a17:902:e40f:: with SMTP id ci15mr145908270plb.280.1559151700115; Wed, 29 May 2019 10:41:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559151700; cv=none; d=google.com; s=arc-20160816; b=SUqXD2cwe/up5vzeTvNWiwjoGfBajrdWKoRNx6fC0vCnFXSL203smLUrDq3UvfSIcK 0cCcScEmfauSyxy7Ohr6Ty14pgttB+AaEFOXwM9iiRfRhQQKbNVHtGphpSuAb4g0ceB1 qkFYO0MW1KUnkv1zu/f/FHxIgXH6PuCVvYlOWue0dj5NfEGFvBSUKZEf5ZPozgFCBmtu E+LmGSl5xC6mteOaqskH7hLZBmlmAgNlGs/s9neU9GRJHN7c995HJavqSHsTpVBjkfE1 XJLy4Uh0Dy3ZASYQu8TR5XbrwftC0GJyjLSpRrMej/vFTKJSzAPTD0ENh2MI/ErF2Qqd TIzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IL4grA2grC2uD2MfsPerYcOwRmk1qvHxFt7EjFCcCxc=; b=A9tH7XA3tHfMHfonuIiQr+dOqULtkO+nO633i93qfszOnnqwdkNIX+d/geLQoMybM+ 33UCcAlzbwYhmB8CSWdPwe3MWawlWL+crs93MuCspZy5usM5BDx1oEdrDC8Bgm7cNXu+ rHaRcCc+Bq6uRg/4vLTiicuqJj9+DEgJi8vQ4p/pjW3Ms/RbK9apMRLQij1rzjNOekze zRlR1LeL0i6j6Obi7WvwdjouPghBkf95p5J+QVCcVfDizQXCUlWq2gHNjpD7bP69iq8I +LUKN/+ezzRp5JQ8jBcCw3TZ72TFq3V6Uxf83wjS1gsfR/2pejBSpY21DsWmImB0sYbn jW6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tHGziVnt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 140si279365pfy.113.2019.05.29.10.41.23; Wed, 29 May 2019 10:41:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tHGziVnt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726704AbfE2RjO (ORCPT + 99 others); Wed, 29 May 2019 13:39:14 -0400 Received: from mail-ot1-f67.google.com ([209.85.210.67]:42864 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725917AbfE2RjN (ORCPT ); Wed, 29 May 2019 13:39:13 -0400 Received: by mail-ot1-f67.google.com with SMTP id i2so1900762otr.9 for ; Wed, 29 May 2019 10:39:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IL4grA2grC2uD2MfsPerYcOwRmk1qvHxFt7EjFCcCxc=; b=tHGziVntBwpAQvesQSGMXd8IKkFGQjWxP+Dn9UOMwzhbP/AVEkhN8tw3umvRN8A958 qSHHs/dfYiTJiQ1jFQitSoEL2PHMUu4SkoRna6duQMtzWo6uPgYvTFGYLedmNJdLZ7uf 6Fa/iBfaDY5ao60UglXngp0s4H2j5F9sU9eE6hXgU2aZB6sgRI6SpWLGJlBetbts4eyz 8RpklQ3CnMElqKY+tVQTfCf/0C5SdI8k96NspSpqeGgNqxh0f31jAF+Dpv5zSzk1yOKU 6M/3rNKaQ8ugfn2NkMWje1icUz80AhSlgh+SSI80hApjbFJ9+TntCNVTLDFaX6o2bJ1m z01Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IL4grA2grC2uD2MfsPerYcOwRmk1qvHxFt7EjFCcCxc=; b=iR/Ju4Y6wPL8h2MaGDtm5T4shuA/G1mBRJJo6SknmSA+S60kYqvLzuQNZuqP7bWxpg IWjDFG55fius4OTTG6B+tbEKhYUaNrNqGwOE9zAp7FleYAZMiAenwafil4fLPe0ydu3T 2tSysw4629OKpJ+J2Xwyg9v6BOR9iwdqjZCf19r4dcVHvROfo6SEll7Vwp7LNhYKlGgX yHu9pj12bW24VcESxFdgASqTEKEhvgDm0fbE1YbEUxJz+/Qbef6rerja5w9UG5KbZlTQ ur7+96m78cYd0XOOLkn3/a9ge338ecFaivuECE8AYOdHN3LU6KXspEeRuqcmqkZ1BCUv LoXQ== X-Gm-Message-State: APjAAAWW2J8mf5QDUcUzldOPtmCzDCUF7fB0wy3WmSL6neXzyz7DJYcr E3u9nve0mQ3sp6GQqjXLsT0CFSCzVNREHpQ8UdY3KA9U2GA= X-Received: by 2002:a9d:7f8b:: with SMTP id t11mr16179otp.110.1559151552707; Wed, 29 May 2019 10:39:12 -0700 (PDT) MIME-Version: 1.0 References: <20190529113157.227380-1-jannh@google.com> <20190529162120.GB27659@redhat.com> In-Reply-To: <20190529162120.GB27659@redhat.com> From: Jann Horn Date: Wed, 29 May 2019 19:38:46 +0200 Message-ID: Subject: Re: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access() To: Oleg Nesterov Cc: "Eric W . Biederman" , Andrew Morton , Kees Cook , David Howells , kernel list Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 29, 2019 at 6:21 PM Oleg Nesterov wrote: > On 05/29, Jann Horn wrote: > > (I have no clue whatsoever what the relevant tree for this is, but I > > guess Oleg is the relevant maintainer?) > > we usually route ptrace changes via -mm tree, plus I lost my account on korg. > > > --- a/kernel/ptrace.c > > +++ b/kernel/ptrace.c > > @@ -324,6 +324,16 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) > > return -EPERM; > > ok: > > rcu_read_unlock(); > > + /* > > + * If a task drops privileges and becomes nondumpable (through a syscall > > + * like setresuid()) while we are trying to access it, we must ensure > > + * that the dumpability is read after the credentials; otherwise, > > + * we may be able to attach to a task that we shouldn't be able to > > + * attach to (as if the task had dropped privileges without becoming > > + * nondumpable). > > + * Pairs with a write barrier in commit_creds(). > > + */ > > + smp_rmb(); > > (I am wondering if smp_acquire__after_ctrl_dep() could be used instead, just to > make this code look more confusing) Uuh, I had no idea that that barrier type exists. The helper isn't even explicitly mentioned in Documentation/memory-barriers.rst. I don't really want to use dark magic in the middle of ptrace access logic... Anyway, looking at it, I think smp_acquire__after_ctrl_dep() doesn't make sense here; quoting the documentation: "A load-load control dependency requires a full read memory barrier, not simply a data dependency barrier to make it work correctly". IIUC smp_acquire__after_ctrl_dep() is for cases in which you would otherwise need a full memory barrier - smp_mb() - and you want to be able to reduce it to a read barrier. > > mm = task->mm; > > while at it, could you also change this into mm = READ_ONCE(task->mm) ? I'm actually trying to get rid of the ->mm access in __ptrace_may_access() entirely by moving the dumpability and the user_ns into the signal_struct, but I don't have patches for that ready (yet).