Re: [BUG] rename() from outside of the target dir breaks /proc exe symlink.

From: Al Viro
Date: Sat Dec 27 2014 - 13:14:28 EST

Next message: Heiko Stübner: "Re: [PATCH] pinctrl: rockchip: Avoid losing interrupts when supporting both edges"
Previous message: Piotr Karbowski: "[BUG] rename() from outside of the target dir breaks /proc exe symlink."
In reply to: Piotr Karbowski: "[BUG] rename() from outside of the target dir breaks /proc exe symlink."
Next in thread: Piotr Karbowski: "Re: [BUG] rename() from outside of the target dir breaks /proc exe symlink."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Dec 27, 2014 at 06:39:54PM +0100, Piotr Karbowski wrote:
> Hi,
>
> There's something wrong about exe symlink that can be found insde
> /proc/<pid>/ directories. When the running binary is replaced with
> another, using rename() call, the symlink may point to wrong path.
>
> As example let me use sshd. I have running sshd from /usr/sbin. If I
> replace /usr/sbin/sshd one could expect to see exe symlink pointing
> to '/usr/sbin/sshd (deleted)', it does work this way if the source
> of rename() was in the same directory or nested within, thus rename
> like:
>
> rename("/usr/sbin/foo", "/usr/sbin/sshd")
>
> and
>
> rename("/usr/sbin/bar/sshd", "/usr/sbin/sshd")
>
> ends with a proper '/usr/sbin/sshd (deleted)' symlink.
>
> if however the source was outside of the target directory, the
> symlink will point to the source path of rename() calls with
> 'deleted' sufix.
>
> Here's example:
>
> sbin # for i in `pidof sshd`; do ls -l /proc/$i/exe; done
> lrwxrwxrwx 1 root root 0 Dec 27 18:09 /proc/29047/exe -> /usr/sbin/sshd
>
> sbin # cp sshd /root/foo
>
> sbin # strace -f perl -e 'rename("/root/foo", "/usr/sbin/sshd")'
> 2>&1 | grep sshd
> rename("/root/foo", "/usr/sbin/sshd") = 0
>
> sbin # for i in `pidof sshd`; do ls -l /proc/$i/exe; done
> lrwxrwxrwx 1 root root 0 Dec 27 18:09 /proc/29047/exe -> /root/sshd
> (deleted)
>
> I am unable to find kernel version where it worked as one could
> presume thus I cannot offer to bisect commits to find the bad one.

That's because it never _had_ worked. Note that opening the damn thing
will give the right file - it does not work by traversing the result of
readlink(2). readlink(2) output on those is not promised to be useful
in all cases; often enough it is, but it won't work on cross-directory
renames, it can't be used to tell a filename that really ends with " (deleted)"
from a removed file, etc. Moreover, it only very recently became usable for
victim names with the last component longer than 40 characters if you did an
overwriting rename.

What are you trying to use it for?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Heiko Stübner: "Re: [PATCH] pinctrl: rockchip: Avoid losing interrupts when supporting both edges"
Previous message: Piotr Karbowski: "[BUG] rename() from outside of the target dir breaks /proc exe symlink."
In reply to: Piotr Karbowski: "[BUG] rename() from outside of the target dir breaks /proc exe symlink."
Next in thread: Piotr Karbowski: "Re: [BUG] rename() from outside of the target dir breaks /proc exe symlink."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]