Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1888010ybb; Sun, 29 Mar 2020 16:17:52 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtdxbRdhDi1mpxqNiFWuGq2mKC0BRMswfoV0y/A4u35SquI4CqPWUHoQqTrQUctOGXy5jEu X-Received: by 2002:a9d:6c88:: with SMTP id c8mr6850726otr.272.1585523872253; Sun, 29 Mar 2020 16:17:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585523872; cv=none; d=google.com; s=arc-20160816; b=N6CW1cfhfjGnpoPouKsE3A2A/8sD2LhuDxjiWwXgSZmXWZ80i40PdfqprdEgkKZVnn /HZUi6cZ+kBzju7w2nr17iNzoxL9qejPr49IXJFpq8LvOPOMNf6SFxXL/MnMBm4lMEy+ WDCvwGfzepQzWCbGVz4Z/9rrJMPuf7S14m0jj82TteD1QXgOFvRlDBv5GBDBDqhJc/AY YFqbx8uWjcANg6q9PPjreEfYeBL2IOkR7esOzktp2XkUIAWG5jZUAcNv/gXwFwo5DMzY DS+pvGEITw8DsYcXeFOpT40BQOdHMWKV8nF9O/dy4QaGPfIHgLC3Ti17Esr+z6BD4fG3 8Diw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Kl5YMuDzJs4NG/vSYEC77l8Gtiw/O3eg/TM2DvabUpw=; b=P22ilBgZR/jN7P8YpbuWfk0PaXt1ghVIADFKc2sJOX64cwF2TfbdNHfmdh227MEtDY 8/czsJ+Jth5rVPS3MfEXyweB0RzlkQMnF1bfh1MeHGR1Qh51EQ1tmWj0gp5rDpEW9OHg 38BtC5Q6jnLMgANnAuVsroip0YL5bqE21ZMo+RxWheO1++i/7xSPvqu96edtT5vtJBaO Gh7I/PL06tz+dTMvFEAMedCgcTOPwmZ80xGxkXuvxMLXzlXJIz5T9wm/bk1/V6Zap5Nl nT8triL5OkQpoE2LyKFE1UiiLoUvKCDJ3SkwQrC+DKnhDM4nhNC3wUieOS1Zm2OVdF38 TXMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=n6lc+LK1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e24si5549919otk.203.2020.03.29.16.17.39; Sun, 29 Mar 2020 16:17:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=n6lc+LK1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729153AbgC2WnS (ORCPT + 99 others); Sun, 29 Mar 2020 18:43:18 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:37266 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728473AbgC2WnR (ORCPT ); Sun, 29 Mar 2020 18:43:17 -0400 Received: by mail-pl1-f195.google.com with SMTP id x1so5967475plm.4 for ; Sun, 29 Mar 2020 15:43:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Kl5YMuDzJs4NG/vSYEC77l8Gtiw/O3eg/TM2DvabUpw=; b=n6lc+LK1FCt0gR4ZOE1QFdAxCzrUaV/yMDw66ahvhK3Ad302xoFyhH20qVDneO9BBP KXQzPPHKnvYI+ID8fIP9iXe/Y9Fp8+ppZpzepTtbO6WdC3jS+Wbf05Ini1/engjN6evw TH0DkyuMh9cqLSHwMC2mOj+WiW41pfI0e/7iQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Kl5YMuDzJs4NG/vSYEC77l8Gtiw/O3eg/TM2DvabUpw=; b=ZnGGcPmKbFkxheZEjZDNfm9TkRfQv6RCEaNgCWj87d/sEW/dIWrLiWd8hL1WbP4wkH eiUyRfIwecEfRnU00tHD13EWYunU58/2UJ1JDkU10jlhKvhQQ2k73s42BLXKukoQ01DH tJMY1iX5glCkHP32XcsMimOCAkgL6s6kYDJ0uIrhDI9RhqgJtRL7Rk5poBCItTCnZYm0 LKFkXCrSCIXWbCscVivhm3MSO5P4vkAfJFNIXWjlC520fynRMlMzNd04+nLuVJ/GC2W5 7g6LoNF6pQXtVu9es1nE32tUtYFpmSH6M7QQIqjAwO8V9THk1Q9QMHubMFYR8LcVq7F1 FF9Q== X-Gm-Message-State: ANhLgQ1MuWYHxWKBuYynF2T4Sfj/u9kriSlIrAjFzqFxILjStbGElDGr 8sZokmtpyGgR2RB5pnzMH1YFMA== X-Received: by 2002:a17:902:6b07:: with SMTP id o7mr9615611plk.141.1585521796466; Sun, 29 Mar 2020 15:43:16 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y207sm8898726pfb.189.2020.03.29.15.43.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Mar 2020 15:43:15 -0700 (PDT) Date: Sun, 29 Mar 2020 15:43:14 -0700 From: Kees Cook To: Adam Zabrocki Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Jann Horn , Oleg Nesterov , Andy Lutomirski , "Eric W. Biederman" , Bernd Edlinger Subject: Re: Curiosity around 'exec_id' and some problems associated with it Message-ID: <202003291528.730A329@keescook> References: <20200324215049.GA3710@pi3.com.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200324215049.GA3710@pi3.com.pl> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! Sorry, I missed this originally because it got filed into my lkml archive and not kernel-hardening, but no one actually reads lkml directly, myself included -- it's mostly a thread archive. I'll update my filters, and I've added a handful of people to CC that might be interested in looking at this too. Here's the full email, I trimmed heavily since it's very detailed: https://lore.kernel.org/lkml/20200324215049.GA3710@pi3.com.pl/ On Tue, Mar 24, 2020 at 10:50:49PM +0100, Adam Zabrocki wrote: > Some curiosities which are interesting to point out: > > 1) Linus Torvalds in 2012 suspected that such 'overflow' might be possible. > You can read more about it here: > > https://www.openwall.com/lists/kernel-hardening/2012/03/11/4 > > 2) Solar Designer in 1999(!) was aware about the problem that 'exit_signal' can > be abused. The kernel didn't protect it at all at that time. So he came up > with the idea to introduce those two counters to deal with that problem. > Originally, these counters were defined as "long long" type. However, during > the revising between September 14 and September 16, 1999 he switched from > "long long" to "int" and introduced integer wraparound handling. His patches > were merged to the kernel 2.0.39 and 2.0.40. > > 3) It is worth to read the Solar Designer's message during the discussion about > the fix for the problem CVE-2012-0056 (I'm referencing this problem later in > that write-up about "Problem II"): > > https://www.openwall.com/lists/kernel-hardening/2012/03/11/12 There was some effort made somewhat recently to get this area fixed: https://lore.kernel.org/linux-fsdevel/1474663238-22134-3-git-send-email-jann@thejh.net/ Nothing ultimately landed, but it's worth seeing if we could revitalize interest. Part of Jann's series was also related to fixing issues with cred_guard_mutex, which is getting some traction now too: https://lore.kernel.org/lkml/AM6PR03MB5170938306F22C3CF61CC573E4CD0@AM6PR03MB5170.eurprd03.prod.outlook.com/ > In short, if you hold the file descriptor open over an execve() (e.g. share it > with child) the old VM is preserved (refcounted) and might be never released. > Essentially, mother process' VM will be still in memory (and pointer to it is > valid) even if the mother process passed an execve(). > This is some kind of 'memory leak' scenario. I did a simple test where process > open /proc/self/maps file and calls clone() with CLONE_FILES flag. Next mother > 'overwrite' itself by executing SUID binary (doesn't need to be SUID), and child > was still able to use the original file descriptor - it's valid. It'd be worth exploring where the resource counting is happening for this. I haven't looked to see how much of the VM stays in kernel memory in this situation. It probably wouldn't be hard to count it against an rlimit or something. Thanks for the details! I hope someone will have time to look into this. It's a bit of a "long timeframe attack", so it's not gotta a lot of priority (obviously). :) -Kees -- Kees Cook