Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux: Kernel

[PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file()

  

 
Linux kernel RSS feed   Index | Next | Previous | View Threaded


khlebnikov at openvz

Jun 16, 2012, 1:51 AM

Post #1 of 9 (117 views)
Permalink
[PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file()
"no other files mapped" requirement from my previous patch
(c/r: prctl: update prctl_set_mm_exe_file() after mm->num_exe_file_vmas removal)
is too paranoid, it forbids operation even if there mapped one shared-anon vma.

Let's check that current mm->exe_file already unmapped, in this case exe_file
symlink already outdated and its changing is reasonable.

Plus, this patch fixes exit code in case operation success.

Signed-off-by: Konstantin Khlebnikov <khlebnikov [at] openvz>
Reported-by: Cyrill Gorcunov <gorcunov [at] openvz>
Cc: Oleg Nesterov <oleg [at] redhat>
Cc: Matt Helsley <matthltc [at] us>
Cc: Kees Cook <keescook [at] chromium>
Cc: KOSAKI Motohiro <kosaki.motohiro [at] jp>
Cc: Tejun Heo <tj [at] kernel>
Cc: Pavel Emelyanov <xemul [at] parallels>
---
kernel/sys.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index f0ec44d..eb4c87a 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1788,7 +1788,6 @@ SYSCALL_DEFINE1(umask, int, mask)
#ifdef CONFIG_CHECKPOINT_RESTORE
static int prctl_set_mm_exe_file(struct mm_struct *mm, unsigned int fd)
{
- struct vm_area_struct *vma;
struct file *exe_file;
struct dentry *dentry;
int err;
@@ -1816,13 +1815,17 @@ static int prctl_set_mm_exe_file(struct mm_struct *mm, unsigned int fd)
down_write(&mm->mmap_sem);

/*
- * Forbid mm->exe_file change if there are mapped other files.
+ * Forbid mm->exe_file change if old file still mapped.
*/
err = -EBUSY;
- for (vma = mm->mmap; vma; vma = vma->vm_next) {
- if (vma->vm_file && !path_equal(&vma->vm_file->f_path,
- &exe_file->f_path))
- goto exit_unlock;
+ if (mm->exe_file) {
+ struct vm_area_struct *vma;
+
+ for (vma = mm->mmap; vma; vma = vma->vm_next)
+ if (vma->vm_file &&
+ path_equal(&vma->vm_file->f_path,
+ &mm->exe_file->f_path))
+ goto exit_unlock;
}

/*
@@ -1835,6 +1838,7 @@ static int prctl_set_mm_exe_file(struct mm_struct *mm, unsigned int fd)
if (test_and_set_bit(MMF_EXE_FILE_CHANGED, &mm->flags))
goto exit_unlock;

+ err = 0;
set_mm_exe_file(mm, exe_file);
exit_unlock:
up_write(&mm->mmap_sem);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


gorcunov at openvz

Jun 16, 2012, 2:01 AM

Post #2 of 9 (116 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
On Sat, Jun 16, 2012 at 12:51:04PM +0400, Konstantin Khlebnikov wrote:
> "no other files mapped" requirement from my previous patch
> (c/r: prctl: update prctl_set_mm_exe_file() after mm->num_exe_file_vmas removal)
> is too paranoid, it forbids operation even if there mapped one shared-anon vma.
>
> Let's check that current mm->exe_file already unmapped, in this case exe_file
> symlink already outdated and its changing is reasonable.
>
> Plus, this patch fixes exit code in case operation success.
>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov [at] openvz>
> Reported-by: Cyrill Gorcunov <gorcunov [at] openvz>

Thanks, Konstantin, letme test it out...

Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


gorcunov at openvz

Jun 16, 2012, 2:06 AM

Post #3 of 9 (116 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
On Sat, Jun 16, 2012 at 12:51:04PM +0400, Konstantin Khlebnikov wrote:
> "no other files mapped" requirement from my previous patch
> (c/r: prctl: update prctl_set_mm_exe_file() after mm->num_exe_file_vmas removal)
> is too paranoid, it forbids operation even if there mapped one shared-anon vma.
>
> Let's check that current mm->exe_file already unmapped, in this case exe_file
> symlink already outdated and its changing is reasonable.
>
> Plus, this patch fixes exit code in case operation success.
>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov [at] openvz>
> Reported-by: Cyrill Gorcunov <gorcunov [at] openvz>
> Cc: Oleg Nesterov <oleg [at] redhat>
> Cc: Matt Helsley <matthltc [at] us>
> Cc: Kees Cook <keescook [at] chromium>
> Cc: KOSAKI Motohiro <kosaki.motohiro [at] jp>
> Cc: Tejun Heo <tj [at] kernel>
> Cc: Pavel Emelyanov <xemul [at] parallels>
> ---

Ack! Thanks again, Konstantin!

Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


gorcunov at openvz

Jun 16, 2012, 2:17 AM

Post #4 of 9 (115 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
On Sat, Jun 16, 2012 at 01:06:46PM +0400, Cyrill Gorcunov wrote:
> On Sat, Jun 16, 2012 at 12:51:04PM +0400, Konstantin Khlebnikov wrote:
> > "no other files mapped" requirement from my previous patch
> > (c/r: prctl: update prctl_set_mm_exe_file() after mm->num_exe_file_vmas removal)
> > is too paranoid, it forbids operation even if there mapped one shared-anon vma.
> >
> > Let's check that current mm->exe_file already unmapped, in this case exe_file
> > symlink already outdated and its changing is reasonable.
> >
> > Plus, this patch fixes exit code in case operation success.
> >
> > Signed-off-by: Konstantin Khlebnikov <khlebnikov [at] openvz>
> > Reported-by: Cyrill Gorcunov <gorcunov [at] openvz>
> > Cc: Oleg Nesterov <oleg [at] redhat>
> > Cc: Matt Helsley <matthltc [at] us>
> > Cc: Kees Cook <keescook [at] chromium>
> > Cc: KOSAKI Motohiro <kosaki.motohiro [at] jp>
> > Cc: Tejun Heo <tj [at] kernel>
> > Cc: Pavel Emelyanov <xemul [at] parallels>
> > ---
>
> Ack! Thanks again, Konstantin!

Side note: there is a little nit with this patch actually,
because while when we do c/r we do "right things" and unmap
all vm-executable mappings before we set up new exe_file. But
we can't guarantee that some brave soul would not setup
new exe-file just for it's own, then what we migh have

- mm::exe_file set up and points to some file, moreover num_exe_file_vmas might be > 1
- application calls for prctl_set_mm_exe_file
- set_mm_exe_file(mm, exe_file) called, and it drops num_exe_file_vmas to 0
- finally application might call for removed_exe_file_vma

void removed_exe_file_vma(struct mm_struct *mm)
{
mm->num_exe_file_vmas--;
if ((mm->num_exe_file_vmas == 0) && mm->exe_file) {
fput(mm->exe_file);
mm->exe_file = NULL;
}

}

and it does _not_ test for num_exe_file_vmas being 0 before doing decrement,
thus we get inconsistency in counter.

Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


khlebnikov at openvz

Jun 16, 2012, 2:42 AM

Post #5 of 9 (109 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
Cyrill Gorcunov wrote:
> On Sat, Jun 16, 2012 at 01:06:46PM +0400, Cyrill Gorcunov wrote:
>> On Sat, Jun 16, 2012 at 12:51:04PM +0400, Konstantin Khlebnikov wrote:
>>> "no other files mapped" requirement from my previous patch
>>> (c/r: prctl: update prctl_set_mm_exe_file() after mm->num_exe_file_vmas removal)
>>> is too paranoid, it forbids operation even if there mapped one shared-anon vma.
>>>
>>> Let's check that current mm->exe_file already unmapped, in this case exe_file
>>> symlink already outdated and its changing is reasonable.
>>>
>>> Plus, this patch fixes exit code in case operation success.
>>>
>>> Signed-off-by: Konstantin Khlebnikov<khlebnikov [at] openvz>
>>> Reported-by: Cyrill Gorcunov<gorcunov [at] openvz>
>>> Cc: Oleg Nesterov<oleg [at] redhat>
>>> Cc: Matt Helsley<matthltc [at] us>
>>> Cc: Kees Cook<keescook [at] chromium>
>>> Cc: KOSAKI Motohiro<kosaki.motohiro [at] jp>
>>> Cc: Tejun Heo<tj [at] kernel>
>>> Cc: Pavel Emelyanov<xemul [at] parallels>
>>> ---
>>
>> Ack! Thanks again, Konstantin!
>
> Side note: there is a little nit with this patch actually,
> because while when we do c/r we do "right things" and unmap
> all vm-executable mappings before we set up new exe_file. But
> we can't guarantee that some brave soul would not setup
> new exe-file just for it's own, then what we migh have
>
> - mm::exe_file set up and points to some file, moreover num_exe_file_vmas might be> 1
> - application calls for prctl_set_mm_exe_file
> - set_mm_exe_file(mm, exe_file) called, and it drops num_exe_file_vmas to 0
> - finally application might call for removed_exe_file_vma
>
> void removed_exe_file_vma(struct mm_struct *mm)
> {
> mm->num_exe_file_vmas--;
> if ((mm->num_exe_file_vmas == 0)&& mm->exe_file) {
> fput(mm->exe_file);
> mm->exe_file = NULL;
> }
>
> }
>
> and it does _not_ test for num_exe_file_vmas being 0 before doing decrement,
> thus we get inconsistency in counter.

No, removed_exe_file_vma() is called only for vma with VM_EXECUTABLE flag,
there no way to get such vma other than sys_execve().
And this brave soul cannot call prctl_set_mm_exe_file() successfully,
just because for vma with VM_EXECUTABLE flag vma->vm_file == mm->exe_file.

Anyway, I plan to get rid of mm->num_exe_file_vmas and VM_EXECUTABLE.

>
> Cyrill

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


gorcunov at openvz

Jun 16, 2012, 2:47 AM

Post #6 of 9 (111 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
On Sat, Jun 16, 2012 at 01:42:23PM +0400, Konstantin Khlebnikov wrote:
> >Side note: there is a little nit with this patch actually,
> >because while when we do c/r we do "right things" and unmap
> >all vm-executable mappings before we set up new exe_file. But
> >we can't guarantee that some brave soul would not setup
> >new exe-file just for it's own, then what we migh have
> >
> > - mm::exe_file set up and points to some file, moreover num_exe_file_vmas might be> 1
> > - application calls for prctl_set_mm_exe_file
> > - set_mm_exe_file(mm, exe_file) called, and it drops num_exe_file_vmas to 0
> > - finally application might call for removed_exe_file_vma
> >
> >void removed_exe_file_vma(struct mm_struct *mm)
> >{
> > mm->num_exe_file_vmas--;
> > if ((mm->num_exe_file_vmas == 0)&& mm->exe_file) {
> > fput(mm->exe_file);
> > mm->exe_file = NULL;
> > }
> >
> >}
> >
> >and it does _not_ test for num_exe_file_vmas being 0 before doing decrement,
> >thus we get inconsistency in counter.
>
> No, removed_exe_file_vma() is called only for vma with VM_EXECUTABLE flag,
> there no way to get such vma other than sys_execve().
> And this brave soul cannot call prctl_set_mm_exe_file() successfully,
> just because for vma with VM_EXECUTABLE flag vma->vm_file == mm->exe_file.
>
> Anyway, I plan to get rid of mm->num_exe_file_vmas and VM_EXECUTABLE.

Yeah, you've changed !path_equal to path_equal. And yes, getting rid of
num_exe_file_vmas is good idea. Btw, Konstantin, why do we need to
call for path_equal? Maybe we can simply test for mm->exe_file == NULL,
and refuse to change anything if it's not nil value? This will simplify
the code.

Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


khlebnikov at openvz

Jun 16, 2012, 8:38 AM

Post #7 of 9 (106 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
Cyrill Gorcunov wrote:
> On Sat, Jun 16, 2012 at 01:42:23PM +0400, Konstantin Khlebnikov wrote:
>>> Side note: there is a little nit with this patch actually,
>>> because while when we do c/r we do "right things" and unmap
>>> all vm-executable mappings before we set up new exe_file. But
>>> we can't guarantee that some brave soul would not setup
>>> new exe-file just for it's own, then what we migh have
>>>
>>> - mm::exe_file set up and points to some file, moreover num_exe_file_vmas might be> 1
>>> - application calls for prctl_set_mm_exe_file
>>> - set_mm_exe_file(mm, exe_file) called, and it drops num_exe_file_vmas to 0
>>> - finally application might call for removed_exe_file_vma
>>>
>>> void removed_exe_file_vma(struct mm_struct *mm)
>>> {
>>> mm->num_exe_file_vmas--;
>>> if ((mm->num_exe_file_vmas == 0)&& mm->exe_file) {
>>> fput(mm->exe_file);
>>> mm->exe_file = NULL;
>>> }
>>>
>>> }
>>>
>>> and it does _not_ test for num_exe_file_vmas being 0 before doing decrement,
>>> thus we get inconsistency in counter.
>>
>> No, removed_exe_file_vma() is called only for vma with VM_EXECUTABLE flag,
>> there no way to get such vma other than sys_execve().
>> And this brave soul cannot call prctl_set_mm_exe_file() successfully,
>> just because for vma with VM_EXECUTABLE flag vma->vm_file == mm->exe_file.
>>
>> Anyway, I plan to get rid of mm->num_exe_file_vmas and VM_EXECUTABLE.
>
> Yeah, you've changed !path_equal to path_equal. And yes, getting rid of
> num_exe_file_vmas is good idea. Btw, Konstantin, why do we need to
> call for path_equal? Maybe we can simply test for mm->exe_file == NULL,
> and refuse to change anything if it's not nil value? This will simplify
> the code.

After removing VM_EXECUTABLE and mm->num_exe_file_vmas mm->exe_file
will never becomes NULL automatically. Patch for this not commited yet,
but I hope it will be in 3.6.

>
> Cyrill

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


gorcunov at openvz

Jun 16, 2012, 8:44 AM

Post #8 of 9 (109 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
On Sat, Jun 16, 2012 at 07:38:29PM +0400, Konstantin Khlebnikov wrote:
> >Yeah, you've changed !path_equal to path_equal. And yes, getting rid of
> >num_exe_file_vmas is good idea. Btw, Konstantin, why do we need to
> >call for path_equal? Maybe we can simply test for mm->exe_file == NULL,
> >and refuse to change anything if it's not nil value? This will simplify
> >the code.
>
> After removing VM_EXECUTABLE and mm->num_exe_file_vmas mm->exe_file
> will never becomes NULL automatically. Patch for this not commited yet,
> but I hope it will be in 3.6.

OK, lets stick with current patch then.

Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


gorcunov at openvz

Jun 18, 2012, 1:58 AM

Post #9 of 9 (103 views)
Permalink
Re: [PATCH 3.5] c/r: prctl: less paranoid prctl_set_mm_exe_file() [In reply to]
On Sat, Jun 16, 2012 at 07:44:24PM +0400, Cyrill Gorcunov wrote:
> On Sat, Jun 16, 2012 at 07:38:29PM +0400, Konstantin Khlebnikov wrote:
> > >Yeah, you've changed !path_equal to path_equal. And yes, getting rid of
> > >num_exe_file_vmas is good idea. Btw, Konstantin, why do we need to
> > >call for path_equal? Maybe we can simply test for mm->exe_file == NULL,
> > >and refuse to change anything if it's not nil value? This will simplify
> > >the code.
> >
> > After removing VM_EXECUTABLE and mm->num_exe_file_vmas mm->exe_file
> > will never becomes NULL automatically. Patch for this not commited yet,
> > but I hope it will be in 3.6.
>
> OK, lets stick with current patch then.

To clarify

Tested-by: Cyrill Gorcunov <gorcunov [at] openvz>

Andrew, could you please pick up this bugfix. It's critical for us.

P.S. Together with patch https://lkml.org/lkml/2012/6/15/220 it'll be
last changes to prctl in a sake of c/r I think. Would be cool to have
both bugfixes in 3.5.

Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Linux kernel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.