Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp7168830rwn; Tue, 13 Sep 2022 15:16:02 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4SvoCp57Dhgv2MypcjV2yaqaL3Ua6DTsmRzbQyX7yY09hD8LOi8y2bmMbO2/7vHr2guRJW X-Received: by 2002:a17:90b:4d07:b0:1ef:521c:f051 with SMTP id mw7-20020a17090b4d0700b001ef521cf051mr1421446pjb.164.1663107362568; Tue, 13 Sep 2022 15:16:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663107362; cv=none; d=google.com; s=arc-20160816; b=ejrS0mr2dV4+F3K6L80NT+xmTLL1BXQur/dZDaOMYnwUxFUojy6kmBP6QRevEVpGsk HwtDpohCKZcFwCbR+Pu86ih4LsWYockwK8LEYt+RrdaMmcmjgvyqGr9MXr7Rt3tSYTGu Zeln1kXLRw88AmLeh/CiMlP27W0jhrqoW6Dlwn0TjsmvJCMK0NSqPiZ11Su2V5ilMBVv MFpLenlNj5mLXV8Ea9PUiLohszfIz2f29MyP1mm0iOaDsV1K2thkneZZG/IVgDqYOdNi UCg6kPZHp8BknDhuNPtv1zgLHjudSwgfsufFwc1SsvqR3OEdq132HQvQmF/NEDfewqUr Zvig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=NYBaVLRrXbe6H9m02gqcPbG6Tfzo/qSbO9657IGVEGU=; b=zTUkpDXZkReLocd49NRIxE/Nuxp+GSyzYzSH9ScfX3jfZAp2wFcRF7cS67uRr/Mrmq Tld1/UrjPYLwFTJMBu2f3veKEf1Uk+5nZoATCwSUjaHV5U0947FEqOxyqaX5VgmfDEnw sTokvr+ujoxZxh1N4NFZ/5LC0Fjk/06ys66v3hP2C+3Zkb7eWRV9PUElCOG0CVdK/aUN 98lcDcINH5snBLHlqsoCbb5pz3OfcDewSh02ho4PPg4onk+grj0V1nYCwnkAlkQL2pJk r6b+I1jmV6yn2MkYDvCq0fSct63hPY9j3VV6bQopoYOPV5slVfKEjQILdoFHXiiyPt3J 4REg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KuISZK38; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q12-20020a056a00084c00b005467198e522si2589256pfk.62.2022.09.13.15.15.50; Tue, 13 Sep 2022 15:16:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=KuISZK38; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229688AbiIMWDz (ORCPT + 99 others); Tue, 13 Sep 2022 18:03:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229695AbiIMWDn (ORCPT ); Tue, 13 Sep 2022 18:03:43 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18C117436D for ; Tue, 13 Sep 2022 15:03:41 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id s18so7254368plr.4 for ; Tue, 13 Sep 2022 15:03:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=NYBaVLRrXbe6H9m02gqcPbG6Tfzo/qSbO9657IGVEGU=; b=KuISZK38k47UtmNXtHsh4Po1U2TsA0Mq68x0dGj6QlRcjnGjQLfIMVVq5qDWJyXQw8 WMJholrGNEk4kauKtc3e/KRRBfmQUhO7Ut2oI1J5/tlZh8/c7k61DUishzbTcQ/pIFNR PQ8v21RMBDyFDfqYoXGSelP7mhC+hP/KrYq4w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=NYBaVLRrXbe6H9m02gqcPbG6Tfzo/qSbO9657IGVEGU=; b=iaEPvu/wpy6pstJzspy7bQywB/2JtLbd2gqFpE/qqjpQ/YF4bWVGwkOjoORl6UCuOf gSqY+ncl554LmMC0A9MKYg0E/ezUEYNGc9qPwm6xg4FZHEc4RmsRfwpm0u4XknVvG/yE w9dgDHUpY9zU8nx2mYBjPq+AIvEI0ycZnLRQEz36PVJay3DjjWhlePXjFXHMW7/Yv27a 279dag93bvNT6t0yQsM7SobhWoBAH75WOC96bHrlfx2rt3//9cDMSkV0IM+dSmw9luDM oL2YMMfD0A6gH1+TG40g55mq0J0trdwKTFnE5S+9EJb/YT4d5FAN3ULWC51cfQRNKo/Q Nh1g== X-Gm-Message-State: ACgBeo0PQFyAUwb2YskyvBa89ojilTk2Jo4jH10vQNGCGJXSoVD7/3ko AEuHwUzUlcTfjkP4a5lbynp+fg== X-Received: by 2002:a17:902:e750:b0:176:b0fb:9683 with SMTP id p16-20020a170902e75000b00176b0fb9683mr34012585plf.71.1663106620537; Tue, 13 Sep 2022 15:03:40 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e13-20020a17090301cd00b00177f4ef7970sm9124775plh.11.2022.09.13.15.03.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 15:03:39 -0700 (PDT) Date: Tue, 13 Sep 2022 15:03:38 -0700 From: Kees Cook To: Jorge Merlino Cc: Alexander Viro , Eric Biederman , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Valentin Schneider , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Fix race condition when exec'ing setuid files Message-ID: <202209131456.76A13BC5E4@keescook> References: <20220910211215.140270-1-jorge.merlino@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220910211215.140270-1-jorge.merlino@canonical.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Sep 10, 2022 at 06:12:14PM -0300, Jorge Merlino wrote: > This patch fixes a race condition in check_unsafe_exec when a heavily > threaded program tries to exec a setuid file. check_unsafe_exec counts the > number of threads sharing the same fs_struct and compares it to the total > number of users of the fs_struct by looking at its users counter. If there > are more users than process threads using it the setuid exec fails with > LSM_UNSAFE_SHARE. The problem is that, during the kernel_clone code > execution, the fs_struct users counter is incremented before the new thread > is added to the thread_group list. So there is a race when the counter has > been incremented but the thread is not visible to the while_each_tread loop > in check_unsafe_exec. Thanks for reporting this and for having a reproducer! It looks like this is "failing safe", in the sense that the bug causes an exec of a setuid binary to not actually change the euid. Is that an accurate understanding here? > This patch sort of fixes this by setting a process flag to the parent > process during the time this race is possible. Thus, if a process is > forking, it counts an extra user fo the fs_struct as the counter might be > incremented before the thread is visible. But this is not great as this > could generate the opposite problem as there may be an external process > sharing the fs_struct that is masked by some thread that is being counted > twice. I submit this patch just as an idea but mainly I want to introduce > this issue and see if someone comes up with a better solution. I'll want to spend some more time studying this race, but yes, it looks like it should get fixed. I'm curious, though, how did you find this problem? It seems quite unusual to have a high-load heavily threaded process decide to exec. -Kees -- Kees Cook