On Thu, Nov 28, 2019 at 8:18 PM Jann Horn <jannh@xxxxxxxxxx> wrote: > On Thu, Nov 28, 2019 at 11:07 AM Jann Horn <jannh@xxxxxxxxxx> wrote: > > On Thu, Nov 28, 2019 at 10:02 AM Rasmus Villemoes > > <linux@xxxxxxxxxxxxxxxxxx> wrote: > > > On 28/11/2019 00.27, Jann Horn wrote: > > > > > > > One more thing, though: We'll have to figure out some way to > > > > invalidate the fd when the target goes through execve(), in particular > > > > if it's a setuid execution. Otherwise we'll be able to just steal > > > > signals that were intended for the other task, that's probably not > > > > good. > > > > > > > > So we should: > > > > a) prevent using ->wait() on an old signalfd once the task has gone > > > > through execve() > > > > b) kick off all existing waiters > > > > c) most importantly, prevent ->read() on an old signalfd once the > > > > task has gone through execve() > > > > > > > > We probably want to avoid using the cred_guard_mutex here, since it is > > > > quite broad and has some deadlocking issues; it might make sense to > > > > put the update of ->self_exec_id in fs/exec.c under something like the > > > > siglock, > > > > > > What prevents one from exec'ing a trivial helper 2^32-1 times before > > > exec'ing into the victim binary? > > > > Uh, yeah... that thing should probably become 64 bits wide, too. > > Actually, that'd still be wrong even with the existing kernel code for > two reasons: > > - if you reparent to a subreaper, the existing exec_id comparison breaks ... actually, I was wrong about this, this case is fine because the ->exit_signal is reset in reparent_leader().
