Re: [PATCHv8] exec: Fix dead-lock in de_thread with ptrace_attach

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Bernd Edlinger <bernd.edlinger@hotmail.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Kees Cook <keescook@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Will Drewry <wad@chromium.org>, Shuah Khan <shuah@kernel.org>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Michal Hocko <mhocko@suse.com>, Serge Hallyn <serge@hallyn.com>,
	James Morris <jamorris@linux.microsoft.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Charles Haithcock <chaithco@redhat.com>,
	Suren Baghdasaryan <surenb@google.com>,
	Yafang Shao <laoar.shao@gmail.com>, Helge Deller <deller@gmx.de>,
	YiFei Zhu <yifeifz2@illinois.edu>,
	Adrian Reber <areber@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Jens Axboe <axboe@kernel.dk>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	linux-kselftest@vger.kernel.org
Subject: Re: [PATCHv8] exec: Fix dead-lock in de_thread with ptrace_attach
Date: Fri, 11 Jun 2021 06:42:48 +0200	[thread overview]
Message-ID: <AM8PR10MB470821E940142AD462C23FBFE4349@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20210610143642.e4535dbdc0db0b1bd3ee5367@linux-foundation.org>

On 6/10/21 11:36 PM, Andrew Morton wrote:
> On Thu, 10 Jun 2021 09:31:42 +0200 Bernd Edlinger <bernd.edlinger@hotmail.de> wrote:
> 
>> This introduces signal->unsafe_execve_in_progress,
>> which is used to fix the case when at least one of the
>> sibling threads is traced, and therefore the trace
>> process may dead-lock in ptrace_attach, but de_thread
>> will need to wait for the tracer to continue execution.
> 
> Deadlocks are serious.  Is this exploitable by unprivileged userspace?
> 

Yes, in theory:

You need a program doing things like the second test case in vmaccess.c
and if the parent (also unprivileged) does simply not call PTRACE_ATTACH
and not waitpid.   This is an unprivileged process.

Now if A kernel process would try the PTRACE_ATTACH from the test case
it would freeze until the parent process calls waitpid, which it would
not do in this scenario. 

>> Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
> 
> Was a -stable backport considered?
> 
> 

Yes, maybe after some time.


Thanks
Bernd.

next prev parent reply	other threads:[~2021-06-11  4:42 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-10  7:31 [PATCHv8] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2021-06-10 21:36 ` Andrew Morton
2021-06-11  4:42   ` Bernd Edlinger [this message]
2021-06-11 15:55   ` [PATCH v9] " Bernd Edlinger
2021-06-11 23:16     ` Andrew Morton
2021-06-12  5:22       ` Bernd Edlinger
2021-06-12  7:02     ` Greg KH
2021-06-14 16:42     ` Eric W. Biederman
2021-06-15 14:26       ` Bernd Edlinger
2021-06-16 21:31         ` Bernd Edlinger
2021-06-22  5:10           ` Bernd Edlinger
2021-06-12 19:44   ` [PATCHv8] " Eric W. Biederman
2021-06-11  7:54 ` Bernd Edlinger
2021-06-11 23:15 ` Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=AM8PR10MB470821E940142AD462C23FBFE4349@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM \
    --to=bernd.edlinger@hotmail.de \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=areber@redhat.com \
    --cc=axboe@kernel.dk \
    --cc=chaithco@redhat.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=deller@gmx.de \
    --cc=ebiederm@xmission.com \
    --cc=jamorris@linux.microsoft.com \
    --cc=keescook@chromium.org \
    --cc=laoar.shao@gmail.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mhocko@suse.com \
    --cc=oleg@redhat.com \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=surenb@google.com \
    --cc=tglx@linutronix.de \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wad@chromium.org \
    --cc=yifeifz2@illinois.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.