Re: [PATCH] signal: Extend exec_id to 64bits

From: Eric W. Biederman
Date: Thu Apr 02 2020 - 10:17:31 EST


Jann Horn <jannh@xxxxxxxxxx> writes:

> On Wed, Apr 1, 2020 at 10:50 PM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
>> Replace the 32bit exec_id with a 64bit exec_id to make it impossible
>> to wrap the exec_id counter. With care an attacker can cause exec_id
>> wrap and send arbitrary signals to a newly exec'd parent. This
>> bypasses the signal sending checks if the parent changes their
>> credentials during exec.
>>
>> The severity of this problem can been seen that in my limited testing
>> of a 32bit exec_id it can take as little as 19s to exec 65536 times.
>> Which means that it can take as little as 14 days to wrap a 32bit
>> exec_id. Adam Zabrocki has succeeded wrapping the self_exe_id in 7
>> days. Even my slower timing is in the uptime of a typical server.
>
> FYI, if you actually optimize this, it's more like 12s to exec 1048576
> times according to my test, which means ~14 hours for 2^32 executions
> (on a single core). That's on an i7-4790 (a Haswell desktop processor
> that was launched about six years ago, in 2014).

Half a day. I am not at all surprised, but it is good to know it can
take so little time.

Eric