On Wed, Aug 11, 2021 at 10:45 PM David Hildenbrand <david@xxxxxxxxxx> wrote:
/* No ordering required: file already has been exposed. */
- RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
+ exe_file = get_mm_exe_file(oldmm);
+ RCU_INIT_POINTER(mm->exe_file, exe_file);
+ if (exe_file)
+ deny_write_access(exe_file);
Can we make a helper function for this, since it's done in two different places?
- if (new_exe_file)
+ if (new_exe_file) {
get_file(new_exe_file);
+ /*
+ * exec code is required to deny_write_access() successfully,
+ * so this cannot fail
+ */
+ deny_write_access(new_exe_file);
+ }
rcu_assign_pointer(mm->exe_file, new_exe_file);
And the above looks positively wrong. The comment is also nonsensical,
in that it basically says "we thought this cannot fail, so we'll just
rely on it".
If it truly cannot fail, then the comment should give the reason, not
the "we depend on this not failing".
And honestly, I don't see why it couldn't fail. And if it *does* fail,
we cannot then RCU-assign the exe_file pointer with this, because
you'll get a counter imbalance when you do the allow_write_access()
later.
Anyway, do_open_execat() does do deny_write_access() with proper error
checking. I think that is the existing reference that you depend on -
so that it doesn't fail. So the comment could possibly say that the
only caller has done this, but can we not just use the reference
deny_write_access() directly, and not do a new one here?
IOW, maybe there's an extraneous 'allow_write_access()' somewhere that
should be dropped when we do the whole binprm dance in execve()?