Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp106636rdb; Mon, 22 Jan 2024 13:34:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IHSxSVwZ5/vqwDTGJhEbjlIKBOpGfJBhrUKcNfTURmEsKFuzEUe3PtSMrS3JF4B7lx3kfyJ X-Received: by 2002:a05:6a20:7fa0:b0:19b:5f7:e142 with SMTP id d32-20020a056a207fa000b0019b05f7e142mr6696388pzj.30.1705959272872; Mon, 22 Jan 2024 13:34:32 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705959272; cv=pass; d=google.com; s=arc-20160816; b=cKy+PWevQEjIIMZVy75h+Hro30O+ENz5ccchYMh2U+dbHeNPEyZNLMuQtsO9mS3CN6 rbPTFl/xxxxDcW4349yzXNMfsDATJedOqO810QCAwnCsPuQ9sJZHLxPxYLyHFauAuzjY OwAMjQbL5gDrOEGk641WY/pCow0BgVpoVOVUHKx09YcwmuuRTJzJIhiioru8auZ8uE/A ZCIJ/C9FNbaQivbYm4WS4bvgAhpv/XboBzJ5MNxBcVVAvs6r73y7kwTnNNv7eGNnWFFc ApEPdKy8o6/+Ru7LXDvg22FPkd7q235igPF7TI0hNkhoy2VjnAqnxqF8IraguTHTTjFg 04pA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=xKEBr23rbJKu9h7vL24E+EIJQpc/iOsyibRTRHA5Xcc=; fh=xQsIA5/RWwb2eqvp+41AbWnRa01UTxIB8ED45Os4I5I=; b=Hufm5UjXMokh1AGfk+b1ktamC3IobBVd4iropOIR4D3BBeT93/D4xuMPCXII4hH6fj wCzl6RfLrF+f6haK6wAZ13XsNur4qXI88tao6syDwB+hw1VAjLpmvGZlPl2qvBErJMXN xZr0auRzhJ+jDI1ufvVAeOeLXrhS5mQ4iEGcTI+KK0VDjMT2WuvJTnxanqBSPofcHrtV +d8I3B29JlIc/ghHKJwKssN3eob9l7ng3avG6kqYxgJWdoFD67d8rKvPZbQjsXhTUJC3 g4SrDlHiEIDRuMv7ez6XcVJBTLyzpUYegMKLspbOjX/C/Bk44sl/qX8UMDzlTwoa4fIm WXng== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=GxM2tPBt; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34195-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34195-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id ln21-20020a056a003cd500b006dbe3ce4cdesi1956637pfb.329.2024.01.22.13.34.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 13:34:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-34195-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=GxM2tPBt; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-34195-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-34195-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7ADC32881EA for ; Mon, 22 Jan 2024 21:34:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 904CE48793; Mon, 22 Jan 2024 21:30:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="GxM2tPBt" Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65B2D47F73 for ; Mon, 22 Jan 2024 21:30:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705959053; cv=none; b=ilHtTs1VBfSTTLTjow6OYF6EGwKpDlzpYf3G2U35/ehZC7DQK32hdAcb1PGWPS/rSb1z/y/5uJGSGn0KEEmsQKYCqcqJ4Z2/4fc9wsLyMfexH18T8LI3McVbaQEo857eE4jPBbq7fSKpBKmJMlxaF0QhBncK203gU5z25hUPtYA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705959053; c=relaxed/simple; bh=zoiLe0GmgV6XcV8qaxVsWn9xPRi07vWQTIaZGAPTy18=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=YI3UmysWVr47mXmID9niklXX8f/f5dJ/uUh4v7XsUyforTYkl8Z9XYHZ3sbfsi6z0Jw3mM+Jizs3bo9gs85HmZKpToQCqF2kceme3f4t/Eunacoo92S4eCjG5pnB+gBqDU0ys/xWGn8poG//0TTBgxYPrCeMaSlah2heJHggXao= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=GxM2tPBt; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2906dffd8ddso1845949a91.3 for ; Mon, 22 Jan 2024 13:30:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705959052; x=1706563852; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=xKEBr23rbJKu9h7vL24E+EIJQpc/iOsyibRTRHA5Xcc=; b=GxM2tPBt1t3JBPCQCGXTtAnCdO9Ldc417Kde0DIbbhgYphNRBBiKN9zbbCXz77D7is vu18prh4YboCsJTBQ6b6viJp2JevCfRUkbre9TgwaRSGPW4Hy0n9iENFSYJjj/Xnu3/4 KLp5uwlGwslDkrb2Y8a6FEy2e2pIjdNY9Rs+4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705959052; x=1706563852; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xKEBr23rbJKu9h7vL24E+EIJQpc/iOsyibRTRHA5Xcc=; b=X4Ym4ZMnOvSTfAA98kF0m8G5oQMLHmGFQJSMbwz7Yr4iJyTbfAboHFch5sB7cQI1X6 CxIUNYJHTO8Vd/52kkI5teIoxfVud094KXOJTS0uOh6eqdA9h91iwEhwrf4IkiSNDO8S ZbhLrvebfOJZukQJBW9kGw9qTThVduUVBvjWzkVRCyDn6Sw6W72vVhm4MIySj6SuKaB3 7RWE+ZuoUObbC06SG79Psq1ywgimMj6nbiFaWPgLujrAcrirUdSyVF3uYR+lv044vOyc OdTYqHfVXzDkO9H9r8wOrzY7wVgXoKHaEeHz74XLBlNWm1rItfRyoBM/oRIZrDex/HnT gUJA== X-Gm-Message-State: AOJu0YxuW6/4lL9U73Dmie3TThmjfLK2ApEFXi9Zg+AueP5riuUM7FS7 DPiuvnXa13PCOpMJLN2uNzw5ILGZpYg0uK3uNB3qT6ZZQsogT/+semBr5Q2F+Q== X-Received: by 2002:a17:90b:1093:b0:28f:f706:f276 with SMTP id gj19-20020a17090b109300b0028ff706f276mr2415921pjb.80.1705959051711; Mon, 22 Jan 2024 13:30:51 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id l17-20020a17090a409100b00290ae3bf8d7sm2167130pjg.21.2024.01.22.13.30.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 13:30:51 -0800 (PST) Date: Mon, 22 Jan 2024 13:30:50 -0800 From: Kees Cook To: Bernd Edlinger Cc: Oleg Nesterov , Alexander Viro , Alexey Dobriyan , Andy Lutomirski , Will Drewry , Christian Brauner , Andrew Morton , Michal Hocko , Serge Hallyn , James Morris , Randy Dunlap , Suren Baghdasaryan , Yafang Shao , Helge Deller , "Eric W. Biederman" , Adrian Reber , Thomas Gleixner , Jens Axboe , Alexei Starovoitov , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , linux-kselftest@vger.kernel.org, linux-mm@kvack.org, tiozhang , Luis Chamberlain , "Paulo Alcantara (SUSE)" , Sergey Senozhatsky , Frederic Weisbecker , YueHaibing , Paul Moore , Aleksa Sarai , Stefan Roesch , Chao Yu , xu xin , Jeff Layton , Jan Kara , David Hildenbrand , Dave Chinner , Shuah Khan , Zheng Yejian , Elena Reshetova , David Windsor , Mateusz Guzik , Ard Biesheuvel , "Joel Fernandes (Google)" , "Matthew Wilcox (Oracle)" , Hans Liljestrand Subject: Re: [PATCH v14] exec: Fix dead-lock in de_thread with ptrace_attach Message-ID: <202401221328.5E7A82C32@keescook> References: <20240116152210.GA12342@redhat.com> <20240117163739.GA32526@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon, Jan 22, 2024 at 02:24:37PM +0100, Bernd Edlinger wrote: > The main concern was when a set-suid program is executed by execve. > Then it makes a difference if the current thread is traced before the > execve or not. That means if the current thread is already traced, > the decision, which credentials will be used is different than otherwise. > > So currently there are two possbilities, either the trace happens > before the execve, and the suid-bit will be ignored, or the trace > happens after the execve, but it is checked that the now potentially > more privileged credentials allow the tracer to proceed. > > With this patch we will have a third prossibility, that is in order > to avoid the possible dead-lock we allow the suid-bit to take effect, > but only if the tracer's privileges allow both to attach the current > credentials and the new credentials. But I would only do that as > a last resort, to avoid the possible dead-lock, and not unless a dead-lock > is really expected to happen. Instead of doing this special cred check (which I am worried could become fragile -- I'd prefer all privilege checks happen in the same place and in the same way...), could we just fail the ptrace_attach of the execve? -- Kees Cook