I'll have to look over the rest later, but for what it's worth:
On 12/13/23 10:31 AM, Alejandro Colomar wrote:
There don't seem to be any
races in open("/proc/[pid]/exe", ...).
Sorry if I'm just confused, but I don't understand how the given test
script reproduces or tests anything relevant to a potential open() race.
The race would work like this:
1. Process A issues open("/proc/self/exe")
2. Process A's open() on /proc/self/exe heads into whatever libc or
kernel path that resolves where that symlink points to a path, if it's
treated as one.
3. Process scheduler switches to process B.
4. Process B switches out process A's binary, such that a different
binary is now at the old path.
5. Process A's open() code in libc or kernel space resumes and opens the
file pointed to by the given path, which is now a new binary.
I'm pretty sure you can't test that anyway to rule it out, that could
only be answered by looking at all the relevant code and whether
/proc/self/exe is ever resolved to a path (like I assume an actual
symlink usually is) or directly to an inode (which would likely be safe).
Regards,
ellie
