Re: [PATCH v2 0/5] pid: add pidfd_open()
From: Jann Horn
Date: Sat Mar 30 2019 - 22:41:51 EST
On Sun, Mar 31, 2019 at 3:07 AM Joel Fernandes <joel@xxxxxxxxxxxxxxxxx> wrote:
> As I said I don't really care about "pidfd" solving any racing issues with
> /proc/<pid>/* accesses - because I still find it hard to imagine that the pid
> number can be reused easily from the time you know which <pid> to deal with,
> to the time when you want to read, say, the /proc/<pid>/status file.
There have been several Android security bugs related to PID reuse.
> I am yet
> to see any real data to show that such overflow happens - you literally need
> 32k process deaths and forks in such a short time frame
This seems very inaccurate to me.
The time frame in which the PID has to wrap around is not the time
between process death and use of the PID. It is the time between *the
creation* of the old process and the use of the PID. Consider the
following sequence of events:
- process A starts with PID 1000
- some time passes in which some process repeatedly forks, with PIDs
wrapping around to 999
- process B starts an attempt to access process A (using PID 1000)
- process A dies
- process C spawns with PID 1000
- process B accidentally accesses process C
Also, it's probably worth clarifying that here, "processes" means "threads".
If there are a lot of active processes, that reduces the number of
times you have to clone() to get the PID to wrap around.
> and on 64-bit, that
> number is really high
Which number is really high on 64-bit? Checking on a walleye phone,
pid_max is still only 32768:
walleye:/ # cat /proc/sys/kernel/pid_max
32768
walleye:/ #
> that its not even an issue. And if this is really an
> issue, then you can just open a handle to /proc/<pid> at process creation
> time and keep it around. If the <pid> is reused, you can still use openat(2)
> on that handle without any races.
But not if you want to implement something like killall in a
race-free way, for example.