On Thu, Nov 28, 2019 at 10:02 AM Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx> wrote: > On 28/11/2019 00.27, Jann Horn wrote: > > > One more thing, though: We'll have to figure out some way to > > invalidate the fd when the target goes through execve(), in particular > > if it's a setuid execution. Otherwise we'll be able to just steal > > signals that were intended for the other task, that's probably not > > good. > > > > So we should: > > a) prevent using ->wait() on an old signalfd once the task has gone > > through execve() > > b) kick off all existing waiters > > c) most importantly, prevent ->read() on an old signalfd once the > > task has gone through execve() > > > > We probably want to avoid using the cred_guard_mutex here, since it is > > quite broad and has some deadlocking issues; it might make sense to > > put the update of ->self_exec_id in fs/exec.c under something like the > > siglock, > > What prevents one from exec'ing a trivial helper 2^32-1 times before > exec'ing into the victim binary? Uh, yeah... that thing should probably become 64 bits wide, too.
