Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp33275pxb; Wed, 22 Sep 2021 15:10:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2/sSnQvhahS4TxAfAGtzAvaq89nuPXB0aKvvBI5oLpcfx1sLp32uUcaVO8zIfgCvXkwUP X-Received: by 2002:aa7:c78f:: with SMTP id n15mr1895569eds.338.1632348647350; Wed, 22 Sep 2021 15:10:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632348647; cv=none; d=google.com; s=arc-20160816; b=rf4ZkXTkC9Uiq+rLltPCmLfgaeH2185jEsTsbNcU+Ou1B6d2zWe96h7dfeynmuBg+N z59DbYCi+qNK6pc6yn+p4+G4V7TrN6T+8Af+zCaXQBlscEEGFeFoeDK7dEuQNDUnViZ2 PzPzBZGwVJ2VD0gzYp0C1s0elCL2A5VS4iFyr2vXK24yDHdN2LX1bwtQSHV2IhG6EIDU 1uhAOzppmWp8XQfFdPHAMhjAm1FH71Mfs2guFXn6zpLEVDdOPk9uNG2Ji4o8ZSqksAEz WEaMnKO+sBkE35dm2gqXPplw/hXl2Fc3LBcf5Q9IXus31SgwLH2wyt/8tBiL7mECmoSH HxUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=5SYXvLn3SjXAQ4MAzIaVmGx80q5ADpEHvJGRZh2fwGQ=; b=mbVOVbI9/wC+wTZXtpHQzNU/LpGq1VjeYE65BDmFVgj0jcxQmdKv2T8MZT+bhVxoFg CAI09OBm4bJoGtWbD2BbvoOeh6j3FA57jIzrClkVc6YjuwJETt/4bV32kVjw29TuGd/Y PqNiiHKU7aRfWJvMjRoTJUO0bsA5JiJiQqAdCf9QCjiUPMGHFwdlgSIgPCQm1Pt+vRsh jw06bvkAJnKXpgi+9YOCmNuemRwjM2+jgXGzwv10sz0i9YhpvkKM/6dVzvp23L0RL8pB JnkKJRFw4OsH0rr2Mb+xsdQv/9eHkNKil+EW6Gsgt9pVEhUr9NTwagrDiMYVHyBswpHC Uzfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=fIvXEv+v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l4si4355212ejo.650.2021.09.22.15.10.23; Wed, 22 Sep 2021 15:10:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=fIvXEv+v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233248AbhIVWHa (ORCPT + 99 others); Wed, 22 Sep 2021 18:07:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232149AbhIVWH3 (ORCPT ); Wed, 22 Sep 2021 18:07:29 -0400 Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1FA81C061574 for ; Wed, 22 Sep 2021 15:05:59 -0700 (PDT) Received: by mail-io1-xd30.google.com with SMTP id b10so5450168ioq.9 for ; Wed, 22 Sep 2021 15:05:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5SYXvLn3SjXAQ4MAzIaVmGx80q5ADpEHvJGRZh2fwGQ=; b=fIvXEv+vCCuCjlnflfXdH0G29UFJLzYXN4CfKvUbcEasTWFWDknqa1X58g4hv1kfH+ aVup6rXSb0sh1Q8Fi4tzcDj4TljFixmarljYO8NtO4rGTUJGVNwxw3MijT1wthB+GbOU BVeDWCdfKd5PDrWg6KelnkiQ84/ANKLh93tu3AXzsxs8gyU4VfJMTInxsZ2Dwlf1jq43 0YsjmiviUbGgMWYd1sKGgQqUZQtqof4Vg7vVSWLWbltNwkxh5dHpuMqJSlXy/5mZXyBo 5ZqWW6gUqw+VBmuSKnMWS0wrcUTwKwC0WLc/iuVb+dbzXjTE/x5H1onsJxwDvkketsk7 RHdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5SYXvLn3SjXAQ4MAzIaVmGx80q5ADpEHvJGRZh2fwGQ=; b=62NgVBVgmukf7ZqaMIZ2/HxEJ4mF8gsP1i9Y4dqJBe8owGjWmNpZjBxfuIeQ91Ryje Ejm3HALN3rv3JIKY0T/MNBS6lWnH4lPYKEDj8xJkOOe0smsrwKXzs2K6mX1eUvBJlzKU ZQlBwoa2Aeh0HGb5QzLTV3YcozxNotMIFGTOXOymsPlsEuQsAYfpFNCriewCo6C/1/Kl w0Ra79z7F6rZaLjsh2pR3L2aOiyXTVrNfWOW6OZbI2H1e4dMyOrE2e2uWYYFOMoF40Rp dWNjxs0FgMmfs6NWs8eo6l7/rHICODiGoGenXjqHjoYAbnaxP9eQcYTKCQ/ThVT+7733 s4kQ== X-Gm-Message-State: AOAM530amcAXsHXUqkuM1v4PbE5sPhu8D7Xl3F6gWbZGMd4YIFHltoyv Uo8lBjnA8RndB9pav0o0f6nJDeb0LzSyVu2Slh+xcA== X-Received: by 2002:a6b:5f08:: with SMTP id t8mr1043653iob.71.1632348358124; Wed, 22 Sep 2021 15:05:58 -0700 (PDT) MIME-Version: 1.0 References: <20210922061809.736124-1-pcc@google.com> <29f1822d-e4cd-eedb-bea8-619db1d56335@redhat.com> <20210922152250.4e7c869a@gandalf.local.home> In-Reply-To: From: Peter Collingbourne Date: Wed, 22 Sep 2021 15:05:46 -0700 Message-ID: Subject: Re: [PATCH] kernel: introduce prctl(PR_LOG_UACCESS) To: Peter Zijlstra Cc: Steven Rostedt , David Hildenbrand , Catalin Marinas , Will Deacon , Ingo Molnar , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Colin Ian King , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Gabriel Krisman Bertazi , Balbir Singh , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko , Linux Kernel Mailing List , Linux ARM , Evgenii Stepanov Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 22, 2021 at 12:56 PM Peter Zijlstra wrote: > > On Wed, Sep 22, 2021 at 03:22:50PM -0400, Steven Rostedt wrote: > > On Wed, 22 Sep 2021 19:46:47 +0200 > > David Hildenbrand wrote: > > > > > > All signals except SIGKILL and SIGSTOP are masked for the interval > > > > between the prctl() and the next syscall in order to prevent handlers > > > > for intervening asynchronous signals from issuing syscalls that may > > > > cause uaccesses from the wrong syscall to be logged. > > > > > > Stupid question: can this be exploited from user space to effectively > > > disable SIGKILL for a long time ... and do we care? > > > > I first misread it too, but then caught my mistake reading it a second > > time. It says "except SIGKILL". So no, it does not disable SIGKILL. > > Disabling SIGINT might already be a giant nuisance. Letting through > SIGSTOP but not SIGCONT seems awkward. Blocking SIGTRAP seems like a bad > idea too. Blocking SIGBUS as delivered by #MC will be hillarious. I'm only blocking the signals that are already blockable from userspace via rt_sigprocmask (which prevents blocking SIGKILL and SIGSTOP, but allows blocking the others including SIGBUS, for which the man page states that the result is undefined if synchronously generated while blocked). So in terms of blocking signals I don't think this is exposing any new capabilities. Per the sigaction man page, SIGKILL and SIGSTOP can't have userspace signal handlers, so we don't need to block them in order to prevent intervening asynchronous signal handlers (nor do we want to due to the DoS potential). I would need to double check the behavior but I believe that for SIGCONT continuing the process is separate from signal delivery and unaffected by blocking (see prepare_signal in kernel/signal.c) -- so the SIGCONT will make it continue and the handler if any would be called once the syscall returns after the automatic restoration of the signal mask. Peter