Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp695605iob; Wed, 18 May 2022 10:49:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0+ifHOBkmGXI9NmvEbF2WVwS8HXysc8Cknk6R5X10KITqqBYUzqmiQpwMS5HRuxAig5v5 X-Received: by 2002:a63:df10:0:b0:3db:8bb8:bf01 with SMTP id u16-20020a63df10000000b003db8bb8bf01mr484927pgg.163.1652896188648; Wed, 18 May 2022 10:49:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652896188; cv=none; d=google.com; s=arc-20160816; b=tACnaxVU57jw981XG+1CgcXNBy0JacBIRof9WrRApyRwWMzWf0/XmSk6p9VSle5hwr x7OZ9Ch3ehUqQANfhf2jrZiqG3zJrZawvoxsduWQcyNspGWsgVDOuJjSRNnoB05UsbeD sRsEyDXi1SOpLd6M7EkzLB+YcdI4gsArgmhHbhWah9M/ZZTHnnSvAcsH8IPsL7H1Tw7B jzlHxH4zG2bS0PR3Iawd0FuYWJ8TRkZT33Duq4dhQEqOz5H9OiJUDuN6GD0pYNbRNRkw GWlqBZORXu38e9cax0UASqK/+SLde71tzh2PwRm1PEDgt1J/k5FPNw7VgS9OWhdOSjj9 X/ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=Kl8jte0KIBVBCncWP890fh6xS73TcQ57oRReP838Wuo=; b=v35BwP1RwHAtI9aneV9ilC8rztTmziLy7OdkHyP9gTiz3J/ohVAtyocjnLGD/fTU+n A/OzfWxvNGtTs6wqCxRXZfoQNHa+bLu/rmxSmMD4jUqIvOOLzNl4KW29vZj1e9dGOmkF /gsvxew655dUCdPJ5ZxtsIMknfcyP3rJzE6iYiH6vbkKcoY+2bv5/Ij9hdsdfR2oOcMl fbR4TLnDHYuOy2R8WFoi/e+OmecpZni2Allr9R+5XFc6deNlzEO+5TfQVE4ChW04ozRJ DIim0jmz2g4tfBucHbWNjBkZkCQLLGwNEs7jskuqmvS3GWxsfdfsjYhtVSjrb3e/DCXy 6QjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=sAgWV3Vl; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id d25-20020a631d19000000b00398f1f7ab55si3163332pgd.333.2022.05.18.10.49.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 May 2022 10:49:48 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=sAgWV3Vl; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BCADE205F1E; Wed, 18 May 2022 10:46:51 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241237AbiERRqk (ORCPT + 99 others); Wed, 18 May 2022 13:46:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241271AbiERRqH (ORCPT ); Wed, 18 May 2022 13:46:07 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9798460068; Wed, 18 May 2022 10:46:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8E9D8B81F31; Wed, 18 May 2022 17:46:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 13BB6C385A5; Wed, 18 May 2022 17:46:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1652895962; bh=RHuQvfGJad+0pY5yu6xwPWnVxtuvlO9bjRDUb1H5LiI=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=sAgWV3VlrxHOfFBNTBtOCBslOzTBkY3S4OqCsCTg+o9kqhiukopfAMkmA37kes29I jxrQyedjJrJ7oifewXYzkO5A31I5YWPwZL1OK5PgIE3Cv3opBGj38hqFCkhxi45j2S hjCnG+wSs5tauK0ydMYgyTzlJvFQcWrI7nADmsdw= Date: Wed, 18 May 2022 10:46:01 -0700 From: Andrew Morton To: Zhihao Cheng Cc: , , , , , Subject: Re: [PATCH -next] exec: Remove redundant check in do_open_execat/uselib Message-Id: <20220518104601.fc21907008231b60a0e54a8e@linux-foundation.org> In-Reply-To: <20220518081227.1278192-1-chengzhihao1@huawei.com> References: <20220518081227.1278192-1-chengzhihao1@huawei.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 18 May 2022 16:12:27 +0800 Zhihao Cheng wrote: > There is a false positive WARNON happening in execve(2)/uselib(2) > syscalls with concurrent noexec-remount. > > execveat remount > do_open_execat(path/bin) > do_filp_open > path_openat > do_open > may_open > path_noexec() // PASS > remount(path->mnt, MS_NOEXEC) > WARNON(path_noexec(&file->f_path)) // path_noexec() checks fail You're saying this is a race condition? A concurrent remount causes this warning? > Since may_open() has already checked the same conditions, fix it by > removing 'S_ISREG' and 'path_noexec' check in do_open_execat()/uselib(2). > > ... > > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -141,16 +141,6 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) > if (IS_ERR(file)) > goto out; > > - /* > - * may_open() has already checked for this, so it should be > - * impossible to trip now. But we need to be extra cautious > - * and check again at the very end too. > - */ > - error = -EACCES; > - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || > - path_noexec(&file->f_path))) > - goto exit; > - Maybe we should retain the `goto exit'. The remount has now occurred, so the execution attempt should be denied. If so, the comment should be updated to better explain what's happening. I guess we'd still be racy against `mount -o exec', but accidentally denying something seems less serious than accidentally permitting it.