Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1086054pxm; Wed, 23 Feb 2022 17:46:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOSx1zqgJa5cQQO8+GUaIoSiGD8Z1ZKc8FUk3+im0POhg0CYlpNsh4lQtjSWF+E62eO+YB X-Received: by 2002:a63:fb46:0:b0:372:a1d6:45ea with SMTP id w6-20020a63fb46000000b00372a1d645eamr477067pgj.549.1645667165248; Wed, 23 Feb 2022 17:46:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645667165; cv=none; d=google.com; s=arc-20160816; b=sfECoOnnqHOVhzIVLVMWSsVJjsHlkhsiYUMKaY5csKasVJ8JijhgMgxocilU2X7K4l Sv8eBxygY3HcO7LUyAkUmOLkNFVe0z00zxCo3pasuYLDDGobaAL1ixqR8wf+XfVNVO1j p6EP3/KX8dMoIoYXZ2KFbnAKW0+4wcz+uK5kkZSToDjW+VJBZuEdRDZMG2yQ7tJkDROc ufoFio/17Nvwi6Ha/PVQWzQdK8bep1n4bqb2k3DxUeX+jVl2ftHxCnjnK/J7XewY5On9 2uhBR3i2pEFW0GHYc1aRr3SYhEPGshTPK9QXFgDmhfBCfUp7QRIWamGQpteDIKKRnG0q Feyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=I3ZrLZGoDaxWbsFP1d+KF7dHhK6vrM0KU3io68wZLg8=; b=RcW23QV2bTCMlY0ocxTbc9vOGhyccGLohwR6pujVQT4XUYQs4489opSz1nQcVKLSHH jMbFUVCALKi7cY21g3M9mABrnhqy5Ho1QRaOzMwuQlvhRLI7mj1SVhWtQ9QGjI2xze6K D/x0L1d0d9TQO+MIFGueuEZ62q7GKOOm+F3LiOdq4CS9CvX8Hlt97nHXdQ1zfl2o9LDS oYoY3oqyxcTMBArdXpTuy5ZtzaN2sIkTlrvfLihxtL+8GOyj7439T1jC17kDMiWDEh67 9R0Khq99vi+8TZCzzoHoRSF9YCG5q+vLA1+bc3CrXi6hv8thOs9M0+ezj6PumEzbK1Ax ThEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YIaZo6IM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id mw8si1169638pjb.21.2022.02.23.17.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 17:46:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=YIaZo6IM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D3D0E22F976; Wed, 23 Feb 2022 17:20:53 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245160AbiBXALY (ORCPT + 99 others); Wed, 23 Feb 2022 19:11:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245143AbiBXALX (ORCPT ); Wed, 23 Feb 2022 19:11:23 -0500 Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 119C05F27F; Wed, 23 Feb 2022 16:10:55 -0800 (PST) Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-2d66f95f1d1so8435137b3.0; Wed, 23 Feb 2022 16:10:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I3ZrLZGoDaxWbsFP1d+KF7dHhK6vrM0KU3io68wZLg8=; b=YIaZo6IMYJROX/vWqdeXYInhR0K4D3UIRkcZY1vK72JnUPrdFzkNY2hFw2BdOkI0BN xvH7KmfkVdMrFmPlFZh0ZSNIVaQKCvrE9lk6lLAtDXc9kLjSMommM+f76D2mKN8X9KWB cVCO9y9WgbrtAqpuOit2PToD4boay7BI9rOkVlzwAWe6pm6Ewc+GpJg91Y9j8m6v6EBS 1JgeTeiWl3tE0P0D1NSLaJtaX6/NZNgMZZZm7vsq7UTpeYlCrmAr+eiPalpfJaMOdQEL Rbq8OWuR/I12yABl5nLdp9n1ULvY983Xk2mcCCKCyn5nS+6MZO8DaVnEVRuzTsJTfeK/ pq1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I3ZrLZGoDaxWbsFP1d+KF7dHhK6vrM0KU3io68wZLg8=; b=mA8bXVSYp3vZLIfUo6ctg9+Hx3HsvEPklL1olBXFPayEulzF3Mwdyg1H/JMPEO4iwN yW5cppKcaRCNNGg4C3lWAZjOv0HHJ2uPskMWBtK6EBQRBB5fhMKVWgLMN8l4j2+Q+u5L eAhAWwMTjYkEBqWehOWONjzgwwraqdY+oJy7k8mf1JfjV+sCsyRqrlEZ2AcHj/ld/FHN 37CNhG/Az/7UySCxn9RYigOmEBR7DR537VYLRWJ3PYXxn0UJDueLP3oFqCRzQv1K0Dz4 a1tl2YXdJtMlkOg/MS1cY00aS4o77ER2wE6Z9et3bzwNrqmJGzylZpYg80n7u46XkCMT bHpA== X-Gm-Message-State: AOAM531CkNCV+3nBDpCarjvp5tl/OB7UjCqEIcscErMMVDBkSZlO+g73 rKkUuCQuAaq+wKAcX85E/d4uXHGJFRp2K4cheHs= X-Received: by 2002:a0d:f681:0:b0:2d0:a6ac:42f1 with SMTP id g123-20020a0df681000000b002d0a6ac42f1mr71656ywf.407.1645661454003; Wed, 23 Feb 2022 16:10:54 -0800 (PST) MIME-Version: 1.0 References: <20220223231752.52241-1-ppbuk5246@gmail.com> In-Reply-To: From: Yun Levi Date: Thu, 24 Feb 2022 09:10:43 +0900 Message-ID: Subject: Re: [PATCH] fs/exec.c: Avoid a race in formats To: Al Viro Cc: Kees Cook , ebiederm@xmission.com, linux-fsdevel@vger.kernel.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 24, 2022 at 8:59 AM Yun Levi wrote: > > On Thu, Feb 24, 2022 at 8:24 AM Al Viro wrote: > > > > On Thu, Feb 24, 2022 at 08:17:52AM +0900, Levi Yun wrote: > > > Suppose a module registers its own binfmt (custom) and formats is like: > > > > > > +---------+ +----------+ +---------+ > > > | custom | -> | format1 | -> | format2 | > > > +---------+ +----------+ +---------+ > > > > > > and try to call unregister_binfmt with custom NOT in __exit stage. > > > > Explain, please. Why would anyone do that? And how would such > > module decide when it's safe to e.g. dismantle data structures > > used by methods of that binfmt, etc.? > > Could you give more detailed example? > > I think if someone wants to control their own binfmt via "ioctl" not > on time on LOAD. > For example, someone wants to control exec (notification, > allow/disallow and etc..) > and want to enable and disable own's control exec via binfmt reg / unreg > In that situation, While the module is loaded, binfmt is still live > and can be reused by > reg/unreg to enable/disable his exec' control. > > module can decide it's safe to unload by tracing the stack and > confirming whether some tasks in the custom binfmt's function after it > unregisters its own binfmt. > > > Because it looks like papering over an inherently unsafe use of binfmt interfaces.. > > I think the above example it's quite a trick and stupid. it's quite > unsafe to use as you mention. > But, misuse allows that situation to happen without any warning. > As a robustness, I just try to avoid above situation But, > I think it's better to restrict unregister binfmt unregister only when > there is no module usage. And not only stupid exmaple, if someone loadable custom binfmt register in __init and __exit via register and unregister_binfmt, I think that situation could happen.