Received: by 10.223.164.202 with SMTP id h10csp4704273wrb; Wed, 29 Nov 2017 10:26:58 -0800 (PST) X-Google-Smtp-Source: AGs4zMbYAOtbbGIxIc0s5aD+3pz5vR/HxoIDdjs/8BMzw06nHLIcG0+58ZUrRnQtnDWr6K+/DciR X-Received: by 10.98.160.193 with SMTP id p62mr3936850pfl.138.1511980018554; Wed, 29 Nov 2017 10:26:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511980018; cv=none; d=google.com; s=arc-20160816; b=qopuJDGK/oGVtsY6FgNQp34P81WzPpvZWbvndi19fk8xtwwHbs8eU9gQsByo8snhOv pSIF1j1mymRBn4U6VFozAc4AQX9wMuNzhiDKSsjQTcruRmXfLs6VyO6dUMZBnOtdAR3V yOVbN5wZN/sZiNDAtV5CT4njBgVv4KoJHAweTovVG3OWAxp17XsdnUfE6Onx+y+on6Ct O0v/PKNDncN2hbVvxZ/mHUKr2weQ2vYEtvhzG02OTMlS7dY2Hz30uo4HZWmkx1fiPVQH bkpn3trEhuQUnVk//v9t7ed2ZyVuttOAQEcN+TRoerHqJLMdyAw6mLvPRvAXwZWIQWEz U0jQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=bL4RH55ZVfMNhLZrRs5mVZtSNsLwWmVOPV3YGoqEysM=; b=RocESQC51oA7kYu4gwsJ1xDzN5urbqRVEM1DQpS+ONVe05yr8hIZSKFE5AD5WiHPjv cdA6xG/PQPKrk3/8kEqBWe5PiETKo0WTJdFKEIwxMrERMQQYXojJQ1HFDIYBLU5usue2 0JiM4Q6u0fbZZd1F6GcmyO7vBMnmFxjFV+ANj2LRn5d+biVcK6QAxGv0g2Saemb10Fdo SuUZJ33uT9fmZUSIZOV361dgvh2JuYH2ZCW56q70AS3Kx1/wAo89PtTb86HfpJWNf1Vb uF+QlqOFVjVyg4mr+QGZ9HaL0rej8bZeQdo3yy+z9b+G0SuxuG5vGl0WI3Vthhtqb+Rg ci+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e10si1603882pgp.680.2017.11.29.10.26.48; Wed, 29 Nov 2017 10:26:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751980AbdK2SUJ (ORCPT + 69 others); Wed, 29 Nov 2017 13:20:09 -0500 Received: from h2.hallyn.com ([78.46.35.8]:45120 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751811AbdK2SUF (ORCPT ); Wed, 29 Nov 2017 13:20:05 -0500 Received: by h2.hallyn.com (Postfix, from userid 1001) id 2D4CB120419; Wed, 29 Nov 2017 12:20:04 -0600 (CST) Date: Wed, 29 Nov 2017 12:20:04 -0600 From: "Serge E. Hallyn" To: Kees Cook Cc: Andrew Morton , Ben Hutchings , James Morris , Serge Hallyn , Andy Lutomirski , Oleg Nesterov , Jiri Slaby , linux-kernel@vger.kernel.org Subject: Re: [PATCH] exec: Avoid RLIMIT_STACK races with prlimit() Message-ID: <20171129182004.GF14545@mail.hallyn.com> References: <20171127193457.GA11348@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171127193457.GA11348@beast> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Kees Cook (keescook@chromium.org): > While the defense-in-depth RLIMIT_STACK limit on setuid processes was > protected against races from other threads calling setrlimit(), I missed > protecting it against races from external processes calling prlimit(). > This adds locking around the change and makes sure that rlim_max is set > too. > > Reported-by: Ben Hutchings > Reported-by: Brad Spengler > Fixes: 64701dee4178e ("exec: Use sane stack rlimit under secureexec") > Cc: stable@vger.kernel.org > Cc: James Morris > Cc: Serge Hallyn Acked-by: Serge Hallyn The only thing i'm wondering is in do_prlimit(): . 1480 if (new_rlim) { . 1481 if (new_rlim->rlim_cur > new_rlim->rlim_max) . 1482 return -EINVAL; that bit is done not under the lock. Does that still allow a race, if this check is done before the below block, and then the rest proceeds after? I *think* not, because later in do_prlimit() it will return -EPERM if . 1500 if (new_rlim->rlim_max > rlim->rlim_max && . 1501 !capable(CAP_SYS_RESOURCE)) Although rlim is gathered before the lock, but that is a struct * so should be ok? > Cc: Andy Lutomirski > Cc: Oleg Nesterov > Cc: Jiri Slaby > Signed-off-by: Kees Cook > --- > fs/exec.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 1d6243d9f2b6..6be2aa0ab26f 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1340,10 +1340,15 @@ void setup_new_exec(struct linux_binprm * bprm) > * avoid bad behavior from the prior rlimits. This has to > * happen before arch_pick_mmap_layout(), which examines > * RLIMIT_STACK, but after the point of no return to avoid > - * needing to clean up the change on failure. > + * races from other threads changing the limits. This also > + * must be protected from races with prlimit() calls. > */ > + task_lock(current->group_leader); > if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM) > current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM; > + if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM) > + current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM; > + task_unlock(current->group_leader); > } > > arch_pick_mmap_layout(current->mm); > -- > 2.7.4 > > > -- > Kees Cook > Pixel Security From 1585249206321179535@xxx Mon Nov 27 19:37:33 +0000 2017 X-GM-THRID: 1585249206321179535 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread