From patchwork Mon Jan 15 19:22:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bernd Edlinger X-Patchwork-Id: 13520101 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1356BC3DA79 for ; Mon, 15 Jan 2024 19:21:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9BF976B009D; Mon, 15 Jan 2024 14:21:32 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 96F816B009E; Mon, 15 Jan 2024 14:21:32 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7C2446B009F; Mon, 15 Jan 2024 14:21:32 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 693956B009D for ; Mon, 15 Jan 2024 14:21:32 -0500 (EST) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 396001C1195 for ; Mon, 15 Jan 2024 19:21:32 +0000 (UTC) X-FDA: 81682514424.11.C68CCE5 Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05olkn2031.outbound.protection.outlook.com [40.92.89.31]) by imf09.hostedemail.com (Postfix) with ESMTP id 2BEF314002A for ; Mon, 15 Jan 2024 19:21:28 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of bernd.edlinger@hotmail.de designates 40.92.89.31 as permitted sender) smtp.mailfrom=bernd.edlinger@hotmail.de; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=hotmail.de ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1705346489; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mIX4vE3hSEcCkyBbrMWuCzGw0KZY3qkncd3yvXta8vM=; b=xHPbVfzKXu61t4UU/GZmQ8g5rRzCCALCR9NPKNdygkS2YLfAV/irDYM5/8rUVvupsbrTcu ZyKYxMth9pp4SFHJNKNdmkuZgwu5n17QMdfG9DzMoKJ3SawvrqfWsFHUILLbGuBATCfhPl 9b1NXeW8QZiPNtbTuDzZkO3RE5NKxAA= ARC-Authentication-Results: i=2; imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of bernd.edlinger@hotmail.de designates 40.92.89.31 as permitted sender) smtp.mailfrom=bernd.edlinger@hotmail.de; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=hotmail.de ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1705346489; a=rsa-sha256; cv=pass; b=EDEDds/yRHnbLxIyK/2pZr6nNfP3zNPPNNV0crxWNdOzsyghOUMpd/yeZgOZnOmT7Y+bwa p/NM9ICIJ1Gls3TnZqYYyTRgiXshpI46bBGI7Lr/RprNmldW4cW6TcfudbHV6/GZ0ax7s3 DNGjg8GKRCmLqfpMl+bPVNtQTHpha40= ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lSZigkXvBmhPoMRjW2s+LCFvmaZ5Vc8m260hzc87rlhDLfA2pGtFFHcfmHU+7Rihctpm9vJgLHBo8q7fjCc3Lx4VBiU+uITHlbENKvNvTLNtQxRlPkW7KlMBFSuEs3DN76U7eS+TbsIWZqtE0vdtV5id5GOwyC3+8Qdxd3oGADTZerBnkb42eLWvr8u3Hwby/LwgZpWvFqVMGzppLdEusk9NcR1tkFSIFfL2Iv2aXSWVg1IFwO3tpOS9pAEA/reQm0vOh9pk+sEkguVt6HMU2Saz0jKDjRSG3taEO0gHghkPjpxe32KkvKXsxGBBI1AhHRqwjHcT4+XW7xd9cWe96g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mIX4vE3hSEcCkyBbrMWuCzGw0KZY3qkncd3yvXta8vM=; b=D6rWqtLQ9gUqHv8CE59RS6qLomAE4zYzFgN3YK0eckId5sD2Ya48y/amO7psFNWy7oZb71zo/xDfGVIMFeJCD99sptnNAJRTmPz5fjYVdNsWnSt9PIt4shZoDzMgByU4Nb0U3SmdGsVgFU9tFtwutEWbrh7o8Cuuh+O+BMGvrW050cUXSmL06PFaqqKvbdZW7T2NLF+6zpsxiOSoHq6PBngSk1U7BKV+cPsiCblNvrx0ch0FmmvK9gV/9TMzjJa3VYDhge1sh1Hdygje4fAlbvsn0bkRAHE8wf5axP2GQbsf1H8yBQpF3FAIYWgkCKf9r/XvQwmYqbxLFpEq1u+u4A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from AS8P193MB1285.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:333::21) by AM0P193MB0769.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:16d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7181.23; Mon, 15 Jan 2024 19:21:25 +0000 Received: from AS8P193MB1285.EURP193.PROD.OUTLOOK.COM ([fe80::897e:cfd5:b29b:c611]) by AS8P193MB1285.EURP193.PROD.OUTLOOK.COM ([fe80::897e:cfd5:b29b:c611%6]) with mapi id 15.20.7181.019; Mon, 15 Jan 2024 19:21:24 +0000 Message-ID: Date: Mon, 15 Jan 2024 20:22:19 +0100 User-Agent: Mozilla Thunderbird From: Bernd Edlinger Subject: [PATCH v14] exec: Fix dead-lock in de_thread with ptrace_attach To: Alexander Viro , Alexey Dobriyan , Oleg Nesterov , Kees Cook , Andy Lutomirski , Will Drewry , Christian Brauner , Andrew Morton , Michal Hocko , Serge Hallyn , James Morris , Randy Dunlap , Suren Baghdasaryan , Yafang Shao , Helge Deller , "Eric W. Biederman" , Adrian Reber , Thomas Gleixner , Jens Axboe , Alexei Starovoitov , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , linux-kselftest@vger.kernel.org, linux-mm@kvack.org, tiozhang , Luis Chamberlain , "Paulo Alcantara (SUSE)" , Sergey Senozhatsky , Frederic Weisbecker , YueHaibing , Paul Moore , Aleksa Sarai , Stefan Roesch , Chao Yu , xu xin , Jeff Layton , Jan Kara , David Hildenbrand , Dave Chinner , Shuah Khan , Zheng Yejian , Alexey Dobriyan , Jens Axboe , Paul Moore , Elena Reshetova , David Windsor , Mateusz Guzik , YueHaibing , Ard Biesheuvel , "Joel Fernandes (Google)" , "Matthew Wilcox (Oracle)" , Hans Liljestrand , tiozhang References: Content-Language: en-US In-Reply-To: X-TMN: [qPgpiNw4aTVk08czLSgjxjV3rZs+jr4OtE5nm5xzNtCiQ0nRDn88asflsy1Ba3tb] X-ClientProxiedBy: FR3P281CA0205.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a5::17) To AS8P193MB1285.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:333::21) X-Microsoft-Original-Message-ID: <61ad3ab4-398e-47f7-9f0d-bfaeed82c3f5@hotmail.de> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P193MB1285:EE_|AM0P193MB0769:EE_ X-MS-Office365-Filtering-Correlation-Id: ed83c9cb-790c-4083-1b3b-08dc15ff2987 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YWKr2sPCnNFt8y72rAn9WZdvOnV1WfwTCfiImQucVPGcyCnvb6ol9Uquhnilv+iGmk1JFuA1LeQI1uxk/gCqWqF3+xQQDpgPAWks+ja8g47LMUxr+oHZl+HxHW2NoVNjEuz0xcUDs5RE+RY0rkgzwjz9Hh9CR7g5lwK9lIHJAOiO09pTmOyN1Qdz39w3HRc2d58F0mqRkl4oJwEfM4iocd0+QUHzbHfqSzwAfkl3yEZOWVOYzBVtmvVVWq8YAh8kEQnPsOae7IzK5U6fHRt1wfRsFPwo5j/Lo8eQtsNzCJ8iBI5vTADv82RNSS6VyBKMJb+PmFJAFnMzSlYPdMNKA+ocwF9tJiGyvRYPmu2OF9XgN0Dl55brNnuhGFsMq8ECz1FBN2s8luAZINNdy/DoNmPGnqrQUwg3wrOEfRnN0plBBpDqS4iC/tvrNuOOpORUoKwFa6a4M1CZIXj2hM9A+dT0na1AvrBX9euaAhhumQPl5uFXlrIsbpe7meoUQxybxzyZGYyYaZVzqc1Z8a/6oqnHfm/5+ACox56OWOUGeC4AxJm6IueH6a7KF6oh1Yr10RKIeMNfA2wTm3Y+3RMo+qN83vb8MOJALuFxbEXs1UY= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?v/ucekTLNxjyVvgjXamJlsPpDGb5?= =?utf-8?q?IHLVlsCrMpNe+SP5WJISmwOi5ybspKWS7gGlfmLQLPwQxEN9uPuUoE9+NSfLnlYLE?= =?utf-8?q?vqWJ2SKJ0ZlRMrgVFlmAOn8FIb/iY5QMd0NuMwRgr69gYn9ZszM3zvm8MyRFuK5pu?= =?utf-8?q?GJfnZX/ss8biRXAxzT+md4fcKWkri2fGfdMI/EKqDmdgjvej+VNkIT/O0Ovm9OJG1?= =?utf-8?q?PgH8XgX2p31grwTqspfdEdKacDo2KdOkpDe++I6YYMsbmdU/2kqA5p2x+GJ3V5umh?= =?utf-8?q?3Cn8pJbkgg/h7pqEwoKospTg5OeqJucpdR8U1Ks3oVkGxMnXAJxBj3Nr0thiP4uqs?= =?utf-8?q?VQddaoxFJSCnuNRqd8D3JFMxv3LLzLwRGhr0RYU0dnbTqF/q8temFNrbevQNLW/VP?= =?utf-8?q?Lk202vtugco20k4vJl3zOVE9qv+gq1ZpMm8285rtJWosRDJxPuq/ZZ0p0p0wSPvsC?= =?utf-8?q?varDmjXtRVcVT06yq9qOpei6go6FnbX4+rCfZndYfWVqvtbg2Fp3sNkYb34csjqSq?= =?utf-8?q?3MZ6twsLzdOv7fmrB4fNH1UXR5AqCco/OGnpKethSNz5ZuxzvD3Bc0aS/Az5REnh9?= =?utf-8?q?l9IivFvQN3dZ0Rozchy9G8YjmXHbDE4KjMrdl5YDa1b3Wq5fapnp4q9QGxvomx/Rj?= =?utf-8?q?BE5lA8KbMMXqkCNOgTwZBw5y2LfIcDzrAxozHGzdfzRM6awL4NHezlBDqx3ffihHj?= =?utf-8?q?VJdsTA5d7BUoPGBWwSGT2CHDnR8QAhuakL23uTZ7x2RmdPqBMg1IL5aNtDBRCxinS?= =?utf-8?q?P5tYBMTqnqUVwW8BXj3kTqrBYIvtDbYl9oEgk0BJje6wXFGUOuHwtU2UqfIQqmXIP?= =?utf-8?q?kcap4bU0bXF7ErgU855dFEeBqNyq8PweytLwUYQCqEisZQ+2XrNEA8V5PFe3WADoJ?= =?utf-8?q?okymHbSIOekHhapUe0AfBemiEm0Qlwz7embMktuH0C1QZQsEwFrPBVCLtod+olqel?= =?utf-8?q?yIOPCHXhGWuegQ0/4foUYFCzgyK3KcvDoespDMNEp+U3DQzU76Xg7rJ8BPX48lBgK?= =?utf-8?q?HLbrA2gjN72qJnN8TNQBOq5Cme9hwAlP7vnliywNZuIEj1KQnUq2TYaAs7bmSipXK?= =?utf-8?q?0g3lFtXI9/v/Qv+1ShgrXdqRUm3ZGLuarh1BNIHCibiRf6sXrINOw6K+1+wnk1WAO?= =?utf-8?q?CaIc1gE+JDQMgxpuSxvfHbG+pG0TDOzbdxvh3zz0fY0ZY0kMcCQDOzBIVf2P1kKze?= =?utf-8?q?vlc2iNHt1xhPJWD3E9MS9hTgqt5Uce7/F/eAd9T4ui1sQkcZu5P4tQxXeLoQ=3D?= X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-80ceb.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: ed83c9cb-790c-4083-1b3b-08dc15ff2987 X-MS-Exchange-CrossTenant-AuthSource: AS8P193MB1285.EURP193.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2024 19:21:24.0892 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P193MB0769 X-Rspamd-Queue-Id: 2BEF314002A X-Rspam-User: X-Stat-Signature: oci7qfwe7gy1spcs6edyoyz44gdy8wgx X-Rspamd-Server: rspam01 X-HE-Tag: 1705346488-978820 X-HE-Meta: U2FsdGVkX1/P7sstL3juLJ6BZIEZ+DpAGpo71NDU7l8cBEnzr1VFbXS6X1nKwH1puvL5ZC1tI+u4/w95nWyogMTVv544kLlkS1KxtB/QuQRNcJxirov0NBAZZf7XtJyooqETGZcO5bDySxu17nvFJq8U3AXCXUQFqyl0JKWYTBwDGTqFPIQoLwabfuxbkCeerO2vrWhJfoR1vCYM0Gdg80vxMMH1g7A5HqXRroAAHKxmMpL+3UHdrPsiHZmND3jyJQYEQaBo/BES92YBGmNCebHWXJmkfAAxZyqW/EcaPCaaRT5UMVy1SkHpP2mrKGYZDt3/B4awpyW2gOMTousLuNTdWf5QTWSGL4BavPsUCemAjjUH5xtquF8z5tttKCYsnHgLSTYtdKGN6oM2IFy+NzUNjg9pJ9vTv0WoseirE+fYyvauXMoDfYXXKHDQGFUgylAEsxgLQuvPi0Fk40lrBS5KlVUE0zsJUGwrr9LkQ0hN0pYBSsD4cwHwl3GbqnZPnJ7IueyGvqXQZvz+Et2VkNAkaunaZIGRkrr7Daclc2OarRyDYrrDAIwt2aqirfTTEbj5er27y+UVx7hQa9E71GcU9Njk8NNCnqjcneaXYK78DjVlMrv7s2Sg+hvIzMQ3M0Xl15c6bQ+cqInZzmRZDaEblMs0H6iklnlnuLGuVgcpE44XibnkzUkUavPXWVGq9t7c2iQlpCnbM/YGjbNNvefagOFNt/EWDMbyNpMBhQK00F3i7ZTJIEljEalVzRqMiflCfyxAuvFIEgS8k6I2/MDU09NY1oLYZSew75iVC/bV5E+v9whhlzZyHlZMWOYNNQdX3dYGqDxROkp6zNTdyXL6alA8ceFH/TGXfhg9ayajg6DSNpn1DqzaSmeGXI7sJdLi2YXPRzffJszxQqR59hdNcwoDAcKM173U25A78zMn9ZKQ9NnGp3NliDRkM+av0eA0UJinAg1O7J3TxMI KjyFZ8cA Ht38jFNpzdrR22x1m8XeUSkBUoYK+9eX99Qz6QtK6zF0WI2uf1JRHWmpWxOq+Oq2SYHjnEHSt1uJIDm+SKCuFdLtFmayMGvPQoVD/C9mXc/aDHyLD9g7r+uRll7pGi6K3+XsPyHrrBo0Sdfvi6drXWEThsEfJJOb7T16I2TsQ27iLCSZM4ZqVQ6fawtpxTyV0n3hI3nQXxY7koqLP3o6rXFUKU35hfbIcF7OaIts+JCyq9yR1bkDt2Z0sJre9QRdQlUZgW1QEQPV9dS+Y+6XGA8B7ccv6l1ZZ/pTsxUPYs4y/xi/O/+zztVTS70nMip+EaiG5+R1NYfEscXjFsPJXW4SMeGv1o5rudKPzbU9HPr9KD1+7zv1XjRel8OkBZjIPjyNrqzqHPFnIrPbobCrG7FuITAVuHoYA36LkxKDAQYaqThntazuSaj9ti4r9yJSDFKlit9IynCAlupLQyjfsmWg10Xa83H9jbRPjPJ8EFrn1ijTYWP52IqwHicJN5VvnT2jIZpnHHuAY4Axlw759//ywlGzZAIqdWW9dkjgzRRlSFVj4HLszp0tQ0HcOBLnK2mwAHsugXb8wOuo19gPqy10kFnRySLYQRkzU X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This introduces signal->exec_bprm, which is used to fix the case when at least one of the sibling threads is traced, and therefore the trace process may dead-lock in ptrace_attach, but de_thread will need to wait for the tracer to continue execution. The problem happens when a tracer tries to ptrace_attach to a multi-threaded process, that does an execve in one of the threads at the same time, without doing that in a forked sub-process. That means: There is a race condition, when one or more of the threads are already ptraced, but the thread that invoked the execve is not yet traced. Now in this case the execve locks the cred_guard_mutex and waits for de_thread to complete. But that waits for the traced sibling threads to exit, and those have to wait for the tracer to receive the exit signal, but the tracer cannot call wait right now, because it is waiting for the ptrace call to complete, and this never does not happen. The traced process and the tracer are now in a deadlock situation, and can only be killed by a fatal signal. The solution is to detect this situation and allow ptrace_attach to continue by temporarily releasing the cred_guard_mutex, while de_thread() is still waiting for traced zombies to be eventually released by the tracer. In the case of the thread group leader we only have to wait for the thread to become a zombie, which may also need co-operation from the tracer due to PTRACE_O_TRACEEXIT. When a tracer wants to ptrace_attach a task that already is in execve, we simply retry the ptrace_may_access check while temporarily installing the new credentials and dumpability which are about to be used after execve completes. If the ptrace_attach happens on a thread that is a sibling-thread of the thread doing execve, it is sufficient to check against the old credentials, as this thread will be waited for, before the new credentials are installed. Other threads die quickly since the cred_guard_mutex is released, but a deadly signal is already pending. In case the mutex_lock_killable misses the signal, the non-zero current->signal->exec_bprm makes sure they release the mutex immediately and return with -ERESTARTNOINTR. This means there is no API change, unlike the previous version of this patch which was discussed here: https://lore.kernel.org/lkml/b6537ae6-31b1-5c50-f32b-8b8332ace882@hotmail.de/ See tools/testing/selftests/ptrace/vmaccess.c for a test case that gets fixed by this change. Note that since the test case was originally designed to test the ptrace_attach returning an error in this situation, the test expectation needed to be adjusted, to allow the API to succeed at the first attempt. Signed-off-by: Bernd Edlinger --- fs/exec.c | 69 ++++++++++++++++------- fs/proc/base.c | 6 ++ include/linux/cred.h | 1 + include/linux/sched/signal.h | 18 ++++++ kernel/cred.c | 28 +++++++-- kernel/ptrace.c | 32 +++++++++++ kernel/seccomp.c | 12 +++- tools/testing/selftests/ptrace/vmaccess.c | 23 +++++--- 8 files changed, 155 insertions(+), 34 deletions(-) v10: Changes to previous version, make the PTRACE_ATTACH return -EAGAIN, instead of execve return -ERESTARTSYS. Added some lessions learned to the description. v11: Check old and new credentials in PTRACE_ATTACH again without changing the API. Note: I got actually one response from an automatic checker to the v11 patch, https://lore.kernel.org/lkml/202107121344.wu68hEPF-lkp@intel.com/ which is complaining about: >> >> kernel/ptrace.c:425:26: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct cred const *old_cred @@ got struct cred const [noderef] __rcu *real_cred @@ 417 struct linux_binprm *bprm = task->signal->exec_bprm; 418 const struct cred *old_cred; 419 struct mm_struct *old_mm; 420 421 retval = down_write_killable(&task->signal->exec_update_lock); 422 if (retval) 423 goto unlock_creds; 424 task_lock(task); > 425 old_cred = task->real_cred; v12: Essentially identical to v11. - Fixed a minor merge conflict in linux v5.17, and fixed the above mentioned nit by adding __rcu to the declaration. - re-tested the patch with all linux versions from v5.11 to v6.6 v10 was an alternative approach which did imply an API change. But I would prefer to avoid such an API change. The difficult part is getting the right dumpability flags assigned before de_thread starts, hope you like this version. If not, the v10 is of course also acceptable. v13: Fixed duplicated Return section in function header of is_dumpability_changed which was reported by the kernel test robot v14: rebased to v6.7, refreshed and retested. And added a more detailed description of the actual bug. Thanks Bernd. diff --git a/fs/exec.c b/fs/exec.c index 6d9ed2d765ef..f2cf7c58fe16 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1039,11 +1039,13 @@ static int exec_mmap(struct mm_struct *mm) return 0; } -static int de_thread(struct task_struct *tsk) +static int de_thread(struct task_struct *tsk, struct linux_binprm *bprm) { struct signal_struct *sig = tsk->signal; struct sighand_struct *oldsighand = tsk->sighand; spinlock_t *lock = &oldsighand->siglock; + struct task_struct *t = tsk; + bool unsafe_execve_in_progress = false; if (thread_group_empty(tsk)) goto no_thread_group; @@ -1066,6 +1068,19 @@ static int de_thread(struct task_struct *tsk) if (!thread_group_leader(tsk)) sig->notify_count--; + while_each_thread(tsk, t) { + if (unlikely(t->ptrace) + && (t != tsk->group_leader || !t->exit_state)) + unsafe_execve_in_progress = true; + } + + if (unlikely(unsafe_execve_in_progress)) { + spin_unlock_irq(lock); + sig->exec_bprm = bprm; + mutex_unlock(&sig->cred_guard_mutex); + spin_lock_irq(lock); + } + while (sig->notify_count) { __set_current_state(TASK_KILLABLE); spin_unlock_irq(lock); @@ -1156,6 +1171,11 @@ static int de_thread(struct task_struct *tsk) release_task(leader); } + if (unlikely(unsafe_execve_in_progress)) { + mutex_lock(&sig->cred_guard_mutex); + sig->exec_bprm = NULL; + } + sig->group_exec_task = NULL; sig->notify_count = 0; @@ -1167,6 +1187,11 @@ static int de_thread(struct task_struct *tsk) return 0; killed: + if (unlikely(unsafe_execve_in_progress)) { + mutex_lock(&sig->cred_guard_mutex); + sig->exec_bprm = NULL; + } + /* protects against exit_notify() and __exit_signal() */ read_lock(&tasklist_lock); sig->group_exec_task = NULL; @@ -1251,6 +1276,24 @@ int begin_new_exec(struct linux_binprm * bprm) if (retval) return retval; + /* If the binary is not readable then enforce mm->dumpable=0 */ + would_dump(bprm, bprm->file); + if (bprm->have_execfd) + would_dump(bprm, bprm->executable); + + /* + * Figure out dumpability. Note that this checking only of current + * is wrong, but userspace depends on it. This should be testing + * bprm->secureexec instead. + */ + if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP || + is_dumpability_changed(current_cred(), bprm->cred) || + !(uid_eq(current_euid(), current_uid()) && + gid_eq(current_egid(), current_gid()))) + set_dumpable(bprm->mm, suid_dumpable); + else + set_dumpable(bprm->mm, SUID_DUMP_USER); + /* * Ensure all future errors are fatal. */ @@ -1259,7 +1302,7 @@ int begin_new_exec(struct linux_binprm * bprm) /* * Make this the only thread in the thread group. */ - retval = de_thread(me); + retval = de_thread(me, bprm); if (retval) goto out; @@ -1282,11 +1325,6 @@ int begin_new_exec(struct linux_binprm * bprm) if (retval) goto out; - /* If the binary is not readable then enforce mm->dumpable=0 */ - would_dump(bprm, bprm->file); - if (bprm->have_execfd) - would_dump(bprm, bprm->executable); - /* * Release all of the old mmap stuff */ @@ -1348,18 +1386,6 @@ int begin_new_exec(struct linux_binprm * bprm) me->sas_ss_sp = me->sas_ss_size = 0; - /* - * Figure out dumpability. Note that this checking only of current - * is wrong, but userspace depends on it. This should be testing - * bprm->secureexec instead. - */ - if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP || - !(uid_eq(current_euid(), current_uid()) && - gid_eq(current_egid(), current_gid()))) - set_dumpable(current->mm, suid_dumpable); - else - set_dumpable(current->mm, SUID_DUMP_USER); - perf_event_exec(); __set_task_comm(me, kbasename(bprm->filename), true); @@ -1478,6 +1504,11 @@ static int prepare_bprm_creds(struct linux_binprm *bprm) if (mutex_lock_interruptible(¤t->signal->cred_guard_mutex)) return -ERESTARTNOINTR; + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(¤t->signal->cred_guard_mutex); + return -ERESTARTNOINTR; + } + bprm->cred = prepare_exec_creds(); if (likely(bprm->cred)) return 0; diff --git a/fs/proc/base.c b/fs/proc/base.c index dd31e3b6bf77..99ff3420138b 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2784,6 +2784,12 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, if (rv < 0) goto out_free; + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(¤t->signal->cred_guard_mutex); + rv = -ERESTARTNOINTR; + goto out_free; + } + rv = security_setprocattr(PROC_I(inode)->op.lsm, file->f_path.dentry->d_name.name, page, count); diff --git a/include/linux/cred.h b/include/linux/cred.h index 2976f534a7a3..a1a1ac38f749 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -153,6 +153,7 @@ extern const struct cred *get_task_cred(struct task_struct *); extern struct cred *cred_alloc_blank(void); extern struct cred *prepare_creds(void); extern struct cred *prepare_exec_creds(void); +extern bool is_dumpability_changed(const struct cred *, const struct cred *); extern int commit_creds(struct cred *); extern void abort_creds(struct cred *); extern const struct cred *override_creds(const struct cred *); diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h index 3499c1a8b929..85d8f8f2f44f 100644 --- a/include/linux/sched/signal.h +++ b/include/linux/sched/signal.h @@ -234,9 +234,27 @@ struct signal_struct { struct mm_struct *oom_mm; /* recorded mm when the thread group got * killed by the oom killer */ + struct linux_binprm *exec_bprm; /* Used to check ptrace_may_access + * against new credentials while + * de_thread is waiting for other + * traced threads to terminate. + * Set while de_thread is executing. + * The cred_guard_mutex is released + * after de_thread() has called + * zap_other_threads(), therefore + * a fatal signal is guaranteed to be + * already pending in the unlikely + * event, that + * current->signal->exec_bprm happens + * to be non-zero after the + * cred_guard_mutex was acquired. + */ + struct mutex cred_guard_mutex; /* guard against foreign influences on * credential calculations * (notably. ptrace) + * Held while execve runs, except when + * a sibling thread is being traced. * Deprecated do not use in new code. * Use exec_update_lock instead. */ diff --git a/kernel/cred.c b/kernel/cred.c index c033a201c808..72aadde3f10c 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -375,6 +375,28 @@ static bool cred_cap_issubset(const struct cred *set, const struct cred *subset) return false; } +/** + * is_dumpability_changed - Will changing creds from old to new + * affect the dumpability in commit_creds? + * + * Return: false - dumpability will not be changed in commit_creds. + * true - dumpability will be changed to non-dumpable. + * + * @old: The old credentials + * @new: The new credentials + */ +bool is_dumpability_changed(const struct cred *old, const struct cred *new) +{ + if (!uid_eq(old->euid, new->euid) || + !gid_eq(old->egid, new->egid) || + !uid_eq(old->fsuid, new->fsuid) || + !gid_eq(old->fsgid, new->fsgid) || + !cred_cap_issubset(old, new)) + return true; + + return false; +} + /** * commit_creds - Install new credentials upon the current task * @new: The credentials to be assigned @@ -403,11 +425,7 @@ int commit_creds(struct cred *new) get_cred(new); /* we will require a ref for the subj creds too */ /* dumpability changes */ - if (!uid_eq(old->euid, new->euid) || - !gid_eq(old->egid, new->egid) || - !uid_eq(old->fsuid, new->fsuid) || - !gid_eq(old->fsgid, new->fsgid) || - !cred_cap_issubset(old, new)) { + if (is_dumpability_changed(old, new)) { if (task->mm) set_dumpable(task->mm, suid_dumpable); task->pdeath_signal = 0; diff --git a/kernel/ptrace.c b/kernel/ptrace.c index d8b5e13a2229..578bc02eea27 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -435,6 +436,28 @@ static int ptrace_attach(struct task_struct *task, long request, if (retval) goto unlock_creds; + if (unlikely(task->in_execve)) { + struct linux_binprm *bprm = task->signal->exec_bprm; + const struct cred __rcu *old_cred; + struct mm_struct *old_mm; + + retval = down_write_killable(&task->signal->exec_update_lock); + if (retval) + goto unlock_creds; + task_lock(task); + old_cred = task->real_cred; + old_mm = task->mm; + rcu_assign_pointer(task->real_cred, bprm->cred); + task->mm = bprm->mm; + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); + rcu_assign_pointer(task->real_cred, old_cred); + task->mm = old_mm; + task_unlock(task); + up_write(&task->signal->exec_update_lock); + if (retval) + goto unlock_creds; + } + write_lock_irq(&tasklist_lock); retval = -EPERM; if (unlikely(task->exit_state)) @@ -508,6 +531,14 @@ static int ptrace_traceme(void) { int ret = -EPERM; + if (mutex_lock_interruptible(¤t->signal->cred_guard_mutex)) + return -ERESTARTNOINTR; + + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(¤t->signal->cred_guard_mutex); + return -ERESTARTNOINTR; + } + write_lock_irq(&tasklist_lock); /* Are we already being traced? */ if (!current->ptrace) { @@ -523,6 +554,7 @@ static int ptrace_traceme(void) } } write_unlock_irq(&tasklist_lock); + mutex_unlock(¤t->signal->cred_guard_mutex); return ret; } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 255999ba9190..b29bbfa0b044 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1955,9 +1955,15 @@ static long seccomp_set_mode_filter(unsigned int flags, * Make sure we cannot change seccomp or nnp state via TSYNC * while another thread is in the middle of calling exec. */ - if (flags & SECCOMP_FILTER_FLAG_TSYNC && - mutex_lock_killable(¤t->signal->cred_guard_mutex)) - goto out_put_fd; + if (flags & SECCOMP_FILTER_FLAG_TSYNC) { + if (mutex_lock_killable(¤t->signal->cred_guard_mutex)) + goto out_put_fd; + + if (unlikely(current->signal->exec_bprm)) { + mutex_unlock(¤t->signal->cred_guard_mutex); + goto out_put_fd; + } + } spin_lock_irq(¤t->sighand->siglock); diff --git a/tools/testing/selftests/ptrace/vmaccess.c b/tools/testing/selftests/ptrace/vmaccess.c index 4db327b44586..3b7d81fb99bb 100644 --- a/tools/testing/selftests/ptrace/vmaccess.c +++ b/tools/testing/selftests/ptrace/vmaccess.c @@ -39,8 +39,15 @@ TEST(vmaccess) f = open(mm, O_RDONLY); ASSERT_GE(f, 0); close(f); - f = kill(pid, SIGCONT); - ASSERT_EQ(f, 0); + f = waitpid(-1, NULL, 0); + ASSERT_NE(f, -1); + ASSERT_NE(f, 0); + ASSERT_NE(f, pid); + f = waitpid(-1, NULL, 0); + ASSERT_EQ(f, pid); + f = waitpid(-1, NULL, 0); + ASSERT_EQ(f, -1); + ASSERT_EQ(errno, ECHILD); } TEST(attach) @@ -57,22 +64,24 @@ TEST(attach) sleep(1); k = ptrace(PTRACE_ATTACH, pid, 0L, 0L); - ASSERT_EQ(errno, EAGAIN); - ASSERT_EQ(k, -1); + ASSERT_EQ(k, 0); k = waitpid(-1, &s, WNOHANG); ASSERT_NE(k, -1); ASSERT_NE(k, 0); ASSERT_NE(k, pid); ASSERT_EQ(WIFEXITED(s), 1); ASSERT_EQ(WEXITSTATUS(s), 0); - sleep(1); - k = ptrace(PTRACE_ATTACH, pid, 0L, 0L); + k = waitpid(-1, &s, 0); + ASSERT_EQ(k, pid); + ASSERT_EQ(WIFSTOPPED(s), 1); + ASSERT_EQ(WSTOPSIG(s), SIGTRAP); + k = ptrace(PTRACE_CONT, pid, 0L, 0L); ASSERT_EQ(k, 0); k = waitpid(-1, &s, 0); ASSERT_EQ(k, pid); ASSERT_EQ(WIFSTOPPED(s), 1); ASSERT_EQ(WSTOPSIG(s), SIGSTOP); - k = ptrace(PTRACE_DETACH, pid, 0L, 0L); + k = ptrace(PTRACE_CONT, pid, 0L, 0L); ASSERT_EQ(k, 0); k = waitpid(-1, &s, 0); ASSERT_EQ(k, pid);