On 28/11/2019 00.27, Jann Horn wrote: > One more thing, though: We'll have to figure out some way to > invalidate the fd when the target goes through execve(), in particular > if it's a setuid execution. Otherwise we'll be able to just steal > signals that were intended for the other task, that's probably not > good. > > So we should: > a) prevent using ->wait() on an old signalfd once the task has gone > through execve() > b) kick off all existing waiters > c) most importantly, prevent ->read() on an old signalfd once the > task has gone through execve() > > We probably want to avoid using the cred_guard_mutex here, since it is > quite broad and has some deadlocking issues; it might make sense to > put the update of ->self_exec_id in fs/exec.c under something like the > siglock, What prevents one from exec'ing a trivial helper 2^32-1 times before exec'ing into the victim binary? Rasmus
