On Wed, May 18, 2022 at 10:46:01AM -0700, Andrew Morton wrote: > On Wed, 18 May 2022 16:12:27 +0800 Zhihao Cheng <chengzhihao1@xxxxxxxxxx> wrote: > > > There is a false positive WARNON happening in execve(2)/uselib(2) > > syscalls with concurrent noexec-remount. > > > > execveat remount > > do_open_execat(path/bin) > > do_filp_open > > path_openat > > do_open > > may_open > > path_noexec() // PASS > > remount(path->mnt, MS_NOEXEC) > > WARNON(path_noexec(&file->f_path)) // path_noexec() checks fail Did you encounter this in the real world? > > You're saying this is a race condition? A concurrent remount causes > this warning? It seems not an unreasonable thing to warn about. Perhaps since it's technically reachable from userspace, it could be downgraded to pr_warn(), but I certainly don't want to remove the checks. > > > Since may_open() has already checked the same conditions, fix it by > > removing 'S_ISREG' and 'path_noexec' check in do_open_execat()/uselib(2). > > > > ... > > > > --- a/fs/exec.c > > +++ b/fs/exec.c > > @@ -141,16 +141,6 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) > > if (IS_ERR(file)) > > goto out; > > > > - /* > > - * may_open() has already checked for this, so it should be > > - * impossible to trip now. But we need to be extra cautious > > - * and check again at the very end too. > > - */ > > - error = -EACCES; > > - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || > > - path_noexec(&file->f_path))) > > - goto exit; > > - > > Maybe we should retain the `goto exit'. The remount has now occurred, > so the execution attempt should be denied. If so, the comment should > be updated to better explain what's happening. > > I guess we'd still be racy against `mount -o exec', but accidentally > denying something seems less serious than accidentally permitting it. I'd like to leave this as-is, since we _do_ want to find the cases where we're about to allow an exec and a very important security check was NOT handled. -- Kees Cook
