Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2982426pxb; Tue, 13 Apr 2021 15:28:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxc+Q8wDQS2GbsHAvpkHQdJy1bdc7S6Fx/o1JdCSA6IUkzdL2nqLb/jIFYONBg+bxYoBtbP X-Received: by 2002:a05:6402:206d:: with SMTP id bd13mr30393484edb.38.1618352938510; Tue, 13 Apr 2021 15:28:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618352938; cv=none; d=google.com; s=arc-20160816; b=cPuY4Q7JiZhfm3GrqgupsH3JBhlToPl5mjgoQR9AIX2t74T2ZvuH1/QiJScpnLUOHh ZNtlLo84+YCnVaxjonC8BPfCQYblwKXH+Md83659LX86Tidi2yVm6FQ1jAp+b5/AsOy8 UefQiBTmm/ypv/VsEhGCY0NgoMLGw4btahKIt8JhrS/5X3GE73KoxLYtjgtVnlCJRnTT de9nFy8w2wvadaEmYD3UnEIvICfDNqhKXY0V7IVSCndEGJRq8Ds+FQhfNBx4R9vX9LKk lTP0gp/xw3XE48DfrYkcdJeVTThtGndoWcDIyK15B1NeXdEaQXDjbCGpcTYznbgSqTKv 4CqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=JA5yN44MoVGjCwTVBfKXTdvtSRH/6Aw9uJaYVih7lKQ=; b=SWFj6C8WKWXIlJdR7Sj5gA0IXGvm9RLygKN1doN8wA/iQpt0Cd6HdwtoE/iYG71ANF mZLY0OH+XK+Db2fb970KhqtaL8WLDhUi393mrpoTJNtcbzPb/Qvnf4Gc2HdaB9zcvkuP 3j1OO2WbZgLy6cNKf30ct6zOQDwCr/tcWN/m0ZhlxhBBG73S4xKdBl/vob8IxFQM/z00 ch6Rg1Qhw0ZB+AMr3WKtoEgoTLLpYiAD+RBmGu7JkBaCCltra013MCMnmJJ42tr3Ucc0 xIoLUH8snD7+gfkayeIZ9bXgc67KzHpS3Un4DQH6jTg62FNj5bUWAgnReCsbunhhhM91 yIsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y8si9291625ejj.528.2021.04.13.15.28.34; Tue, 13 Apr 2021 15:28:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239549AbhDMRya (ORCPT + 99 others); Tue, 13 Apr 2021 13:54:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:45858 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345824AbhDMRyW (ORCPT ); Tue, 13 Apr 2021 13:54:22 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7B65461249; Tue, 13 Apr 2021 17:53:58 +0000 (UTC) Date: Tue, 13 Apr 2021 19:53:55 +0200 From: Christian Brauner To: Rodrigo Campos Cc: Kees Cook , Andy Lutomirski , Will Drewry , linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, Sargun Dhillon , Mauricio =?utf-8?Q?V=C3=A1squez?= Bernal , Alban Crequy , stable@vger.kernel.org Subject: Re: [PATCH 1/1] seccomp: Always "goto wait" if the list is empty Message-ID: <20210413175355.kttgdouoyiykug5i@wittgenstein> References: <20210413160151.3301-1-rodrigo@kinvolk.io> <20210413160151.3301-2-rodrigo@kinvolk.io> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210413160151.3301-2-rodrigo@kinvolk.io> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 13, 2021 at 06:01:51PM +0200, Rodrigo Campos wrote: > It is possible for the thread with the seccomp filter attached (target) > to be waken up by an addfd message, but the list be empty. This happens > when the addfd ioctl on the other side (seccomp agent) is interrupted by > a signal such as SIGURG. In that case, the target erroneously and > prematurely returns from the syscall to userspace even though the > seccomp agent didn't ask for it. > > This happens in the following scenario: > > seccomp_notify_addfd() | seccomp_do_user_notification() > | > | err = wait_for_completion_interruptible(&n.ready); > complete(&knotif->ready); | > ret = wait_for_completion_interruptible(&kaddfd.completion); | > // interrupted | > | > mutex_lock(&filter->notify_lock); | > list_del(&kaddfd.list); | > mutex_unlock(&filter->notify_lock); | > | mutex_lock(&match->notify_lock); > | // This is false, addfd is false > | if (addfd && n.state != SECCOMP_NOTIFY_REPLIED) > | > | ret = n.val; > | err = n.error; > | flags = n.flags; > > So, the process blocked in seccomp_do_user_notification() will see a > response. As n is 0 initialized and wasn't set, it will see a 0 as > return value from the syscall. > > The seccomp agent, when retrying the interrupted syscall, will see an > ENOENT error as the notification no longer exists (it was already > answered by this bug). > > This patch fixes the issue by splitting the if in two parts: if we were > woken up and the state is not replied, we will always do a "goto wait". > And if that happens and there is an addfd element on the list, we will > add the fd before "goto wait". > > This issue is present since 5.9, when addfd was added. > > Fixes: 7cf97b1254550 > Cc: stable@vger.kernel.org # 5.9+ > Signed-off-by: Rodrigo Campos > --- So the agent will see the return value from wait_for_completion_interruptible() and know that the addfd wasn't successful and the target will notice that no addfd request has actually been added and essentially try again. Seems like a decent fix and can be backported cleanly. I assume seccomp testsuite passes. Acked-by: Christian Brauner