On Thu, Nov 28, 2019 at 11:07 AM Jann Horn <jannh@xxxxxxxxxx> wrote: > On Thu, Nov 28, 2019 at 10:02 AM Rasmus Villemoes > <linux@xxxxxxxxxxxxxxxxxx> wrote: > > On 28/11/2019 00.27, Jann Horn wrote: > > > > > One more thing, though: We'll have to figure out some way to > > > invalidate the fd when the target goes through execve(), in particular > > > if it's a setuid execution. Otherwise we'll be able to just steal > > > signals that were intended for the other task, that's probably not > > > good. > > > > > > So we should: > > > a) prevent using ->wait() on an old signalfd once the task has gone > > > through execve() > > > b) kick off all existing waiters > > > c) most importantly, prevent ->read() on an old signalfd once the > > > task has gone through execve() > > > > > > We probably want to avoid using the cred_guard_mutex here, since it is > > > quite broad and has some deadlocking issues; it might make sense to > > > put the update of ->self_exec_id in fs/exec.c under something like the > > > siglock, > > > > What prevents one from exec'ing a trivial helper 2^32-1 times before > > exec'ing into the victim binary? > > Uh, yeah... that thing should probably become 64 bits wide, too. Actually, that'd still be wrong even with the existing kernel code for two reasons: - if you reparent to a subreaper, the existing exec_id comparison breaks - the new check here is going to break if a non-leader thread goes through execve(), because of the weird magic where the thread going through execve steals the thread id (PID) of the leader I'm gone for the day, but will try to dust off the years-old patch for this that I have lying around somewhere tomorrow. I should probably send it through akpm's tree with cc stable, given that this is already kinda broken in existing releases...