Jann Horn <jannh@xxxxxxxxxx> writes: > On Wed, Apr 1, 2020 at 10:50 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: >> Replace the 32bit exec_id with a 64bit exec_id to make it impossible >> to wrap the exec_id counter. With care an attacker can cause exec_id >> wrap and send arbitrary signals to a newly exec'd parent. This >> bypasses the signal sending checks if the parent changes their >> credentials during exec. >> >> The severity of this problem can been seen that in my limited testing >> of a 32bit exec_id it can take as little as 19s to exec 65536 times. >> Which means that it can take as little as 14 days to wrap a 32bit >> exec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7 >> days. Even my slower timing is in the uptime of a typical server. > > FYI, if you actually optimize this, it's more like 12s to exec 1048576 > times according to my test, which means ~14 hours for 2^32 executions > (on a single core). That's on an i7-4790 (a Haswell desktop processor > that was launched about six years ago, in 2014). Half a day. I am not at all surprised, but it is good to know it can take so little time. Eric
