From patchwork Fri Oct 16 02:40:13 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 11840491
Return-Path: <SRS0=b3Y1=DX=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4DD714B4
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 16 Oct 2020 02:40:36 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 657EF216C4
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 16 Oct 2020 02:40:36 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=google.com header.i=@google.com header.b="aPhBlVno"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 657EF216C4
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 4AACC940007; Thu, 15 Oct 2020 22:40:35 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 45E65900002; Thu, 15 Oct 2020 22:40:35 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 34A01940007; Thu, 15 Oct 2020 22:40:35 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0032.hostedemail.com
 [216.40.44.32])
	by kanga.kvack.org (Postfix) with ESMTP id 06621900002
	for <linux-mm@kvack.org>; Thu, 15 Oct 2020 22:40:34 -0400 (EDT)
Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 879758249980
	for <linux-mm@kvack.org>; Fri, 16 Oct 2020 02:40:34 +0000 (UTC)
X-FDA: 77376235188.19.tank85_401825b27219
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin19.hostedemail.com (Postfix) with ESMTP id 669731AD1B7
	for <linux-mm@kvack.org>; Fri, 16 Oct 2020 02:40:34 +0000 (UTC)
X-Spam-Summary: 
 1,0,0,f61c1d5318e80785,d41d8cd98f00b204,jannh@google.com,,RULES_HIT:41:69:355:379:541:965:966:968:973:982:988:989:1260:1311:1314:1345:1437:1515:1535:1543:1711:1730:1747:1777:1792:2196:2199:2393:2559:2562:2892:2894:2901:3138:3139:3140:3141:3142:3152:3355:3622:3865:3866:3867:3868:3870:3871:3872:3874:4117:4250:4321:4385:4390:4395:4605:5007:6117:6119:6120:6261:6653:7875:7901:7903:9969:10004:11026:11658:11914:12043:12048:12266:12296:12297:12438:12517:12519:12555:12679:12683:12895:12986:13161:13229:13894:14096:14721:21080:21365:21433:21444:21451:21627:21740:21809:21939:30054:30056:30070:30075,0,RBL:209.85.128.68:@google.com:.lbl8.mailshell.net-62.18.0.100
 66.100.201.100;04y83cek47tfh9f8hsfowqxaobeniop1kbaurh6fyf8rtzf7f6umryx9fztc9d6.asdtq9c868kuwux4p1y5yhkf1bnnrbtdi1gz6ktt1my8jj3bjfh6yuaprzadia1.r-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not
 bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_
 SUMMARY:
X-HE-Tag: tank85_401825b27219
X-Filterd-Recvd-Size: 6202
Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com
 [209.85.128.68])
	by imf18.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri, 16 Oct 2020 02:40:33 +0000 (UTC)
Received: by mail-wm1-f68.google.com with SMTP id a72so933865wme.5
        for <linux-mm@kvack.org>; Thu, 15 Oct 2020 19:40:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=xNg9gdtOimOEmy67mW+pkldAwxnCexLnxFi/MBHN1vk=;
        b=aPhBlVnoxNeangGzBxkmAwQqBlVG1XkorAVly+WceoAu9XKHWE1pUpAeqWbG/mZc3C
         wFz96+1DHR8RaYWLWO+gbTblSAYA4jLfwKqQ7FRXVDQgpuz5b3TGQWi7/GjcQ5q1CneC
         Wz+RCRQSV2AhzyIWNSHH4JA0XIWC8kV8hDnJNUfyqJOEXphkaY3Z07xisXOy0iw8Dmch
         kddGQarACTIWPQ+cFIjXBRsM5Xo7kJrDYT8sLMtEn2Q7NyONlILIFG2QYW58Cc+zFZ2b
         8M/4AaN5EvPrL0R8japtzsoYFrUgHamvic2aq9xbu3b4f5mopT+9288px6NCKsJevxWt
         YEiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=xNg9gdtOimOEmy67mW+pkldAwxnCexLnxFi/MBHN1vk=;
        b=CF0D9frREpk2k+3vNiO4mpo5bM+jFJ1qP2hVMgwKDinkxdSImjXjQrnUtFBA2CLRaq
         Zvvah4Rm/LUSaXJHJknlB5XG27nFClRl0tFS4ZK/6+eLa+n5my+WZ6nD9OI5YoZsHtW3
         BoPkww1dKIatpcjmE18VQNuMzOmL7Tp5rZCk7gynQi/zMtBYAnU3Iv8SmVNVPOq7rPYw
         I+0IXB2KRAIQYOBUOSiksFh58YkJP1SKY7GdH/2eiZnAMQsSXAlre0kBO0tqRJo+236m
         1MKpbo25jeh1IYPJyskVbr0LmDCP1W3RBcIi6HlN5RAmPAQedPEJrwron3J1lVHz/dac
         qnWw==
X-Gm-Message-State: AOAM530Vi1k2dgjCCUT7Vbg6xmJP0FoPgVML3u5yXrVAc9Z4jEmLxydo
	srvvbU9SRvPz119wYPAnMJQjew==
X-Google-Smtp-Source: 
 ABdhPJzD+bOH8x5fO1yOkPLHWHIArFrbRAcn1rQ8FK0AVgEKXfhq3EEN4vCsMHAjfpsAZtqjocIDcg==
X-Received: by 2002:a1c:b78a:: with SMTP id
 h132mr1408258wmf.172.1602816032498;
        Thu, 15 Oct 2020 19:40:32 -0700 (PDT)
Received: from localhost ([2a02:168:96c5:1:55ed:514f:6ad7:5bcc])
        by smtp.gmail.com with ESMTPSA id
 a17sm1549902wra.29.2020.10.15.19.40.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 15 Oct 2020 19:40:31 -0700 (PDT)
From: Jann Horn <jannh@google.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	linux-mm@kvack.org,
	Eric Biederman <ebiederm@xmission.com>,
	Oleg Nesterov <oleg@redhat.com>
Cc: linux-kernel@vger.kernel.org,
	Will Deacon <will@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Ingo Molnar <mingo@kernel.org>
Subject: [RFC PATCH 0/6] mm and ptrace: Track dumpability until task is freed
Date: Fri, 16 Oct 2020 04:40:13 +0200
Message-Id: <20201016024019.1882062-1-jannh@google.com>
X-Mailer: git-send-email 2.29.0.rc1.297.gfa9743e501-goog
MIME-Version: 1.0
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

At the moment, there is a lifetime issue (no, not the UAF kind) around
__ptrace_may_access():

__ptrace_may_access() wants to check mm->flags and mm->user_ns to figure
out whether the caller should be allowed to access some target task.
__ptrace_may_access() can be called as long as __put_task_struct()
hasn't happened yet; but __put_task_struct() happens when the task is
about to be freed, which is much later than exit_mm() (which happens
pretty early during task exit).
So we can have a situation where we need to consult the mm for a
security check, but we don't have an mm anymore.

At the moment, this is solved by failing open: If the mm is gone, we
pretend that it was dumpable. That's dubious from a security
perspective - as one example, we drop the mm_struct before the file
descriptor table, so someone might be able to steal file descriptors
from an exiting tasks when dumpability was supposed to prevent that.

The easy fix would be to let __ptrace_may_access() instead always refuse
access to tasks that have lost their mm; but then that would e.g. mean
that the ability to inspect dead tasks in procfs would be restricted.
So while that might work in practice, it'd be a bit ugly, too.

Another option would be to move the dumpability information elsewhere -
but that would have to be the task_struct (the signal_struct can be
shared with dead pre-execve threads, so we can't use it here). So we'd
have to keep dumpability information in sync across threads - that'd
probably be pretty ugly.


So I think the proper fix is to let the task_struct hold a reference on
the mm_struct until the task goes away completely. This is implemented
in patch 1/6, which is also the only patch in this series that I
actually care about (and the only one with a stable backport marking);
the rest of the series are some tweaks in case people dislike the idea
of constantly freeing mm_structs from workqueue context.
Those tweaks should also reduce the memory usage of dead tasks, by
ensuring that they don't keep their PGDs alive.


Patch 1/6 is not particularly pretty, but I can't think of any better
way to do it.

So: Does this series (and in particular patch 1/6) look vaguely sane?
And if not, does anyone have a better approach?


Jann Horn (6):
  ptrace: Keep mm around after exit_mm() for __ptrace_may_access()
  refcount: Move refcount_t definition into linux/types.h
  mm: Add refcount for preserving mm_struct without pgd
  mm, oom: Use mm_ref()/mm_unref() and avoid mmdrop_async()
  ptrace: Use mm_ref() for ->exit_mm
  mm: remove now-unused mmdrop_async()

 arch/x86/kernel/tboot.c    |  2 +
 drivers/firmware/efi/efi.c |  2 +
 include/linux/mm_types.h   | 15 ++++++-
 include/linux/refcount.h   | 13 +-----
 include/linux/sched.h      |  8 ++++
 include/linux/sched/mm.h   | 13 ++++++
 include/linux/types.h      | 12 +++++
 kernel/exit.c              |  2 +
 kernel/fork.c              | 90 +++++++++++++++++---------------------
 kernel/ptrace.c            | 10 +++++
 mm/init-mm.c               |  2 +
 mm/oom_kill.c              |  2 +-
 12 files changed, 105 insertions(+), 66 deletions(-)


base-commit: bbf5c979011a099af5dc76498918ed7df445635b