On Fri, Sep 30, 2016 at 6:44 AM, Oleg Nesterov <oleg@xxxxxxxxxx> wrote: > forgot to mention... > > On 09/30, Oleg Nesterov wrote: >> >> On 09/23, Jann Horn wrote: >> > >> > One reason for doing this is that it prevents an attacker from sending an >> > arbitrary signal to a parent process after performing 2^32-1 execve() >> > calls. > > No, sets ->exit_signal = SIGCHLD. So the only problem is that the parent > can do clone(SIGKILL), then do execve() 2^32-1 times, then it can be killed > by SIGKILL from the exiting child. > > Honestly, I do not think this is security problem. It's a corner case, to be sure. But even sending a SIGKILL across privilege boundaries should not be allowed to happen. > >> I think we should simply kill self/parent_exec_id's. I am going to send >> the patch below after re-check/testing. > > Yes, I think this makes sense anyway. Hrm, I also thought this was used for more than just signal checking, but I don't see anything else right now. Maybe I was remembering earlier versions of Jann's patches... -Kees -- Kees Cook Nexus Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
