Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > On Fri, Jul 2, 2021 at 11:43 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> >> Uhm, this is only checked in open(), and never again? Is this safe in >> the face of exec or pid re-use? Exec does not change the file descriptor table. The open holds a reference to the proc inode. The proc inode holds the struct pid of the task and the file descriptor number. References using struct pid do not suffer from userspace pid rollover issues. So the only issue I see is file descriptor reuse after an exec, that changes the processes struct cred. Assuming we care it would probably be worth a bug fix patch to check something. Eric
