Re: [PATCH 3/4] proc: io_accounting: Use new infrastructure to fix deadlocks in execve

From: Kees Cook
Date: Wed Mar 11 2020 - 15:08:14 EST


On Tue, Mar 10, 2020 at 06:45:47PM +0100, Bernd Edlinger wrote:
> This changes do_io_accounting to use the new exec_update_mutex
> instead of cred_guard_mutex.
>
> This fixes possible deadlocks when the trace is accessing
> /proc/$pid/io for instance.
>
> This should be safe, as the credentials are only used for reading.

I'd like to see the rationale described better here for why it should be
safe. I'm still not seeing why this is safe here, as we might check
ptrace_may_access() with one cred and then iterate io accounting with a
different credential...

What am I missing?

-Kees

>
> Signed-off-by: Bernd Edlinger <bernd.edlinger@xxxxxxxxxx>
> ---
> fs/proc/base.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 4fdfe4f..529d0c6 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2770,7 +2770,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
> unsigned long flags;
> int result;
>
> - result = mutex_lock_killable(&task->signal->cred_guard_mutex);
> + result = mutex_lock_killable(&task->signal->exec_update_mutex);
> if (result)
> return result;
>
> @@ -2806,7 +2806,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
> result = 0;
>
> out_unlock:
> - mutex_unlock(&task->signal->cred_guard_mutex);
> + mutex_unlock(&task->signal->exec_update_mutex);
> return result;
> }
>
> --
> 1.9.1

--
Kees Cook