Re: [PATCH] Fix race condition when exec'ing setuid files

From: Jorge Merlino
Date: Sun Sep 18 2022 - 17:27:45 EST

Next message: kernel test robot: "[ardb:for-kernelci 17/21] efi.c:undefined reference to `phys_initrd_start'"
Previous message: Richard Weinberger: "Re: [PATCH V3 04/11] um: Improve panic notifiers consistency and ordering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

El 13/9/22 a las 19:03, Kees Cook escribió:

Thanks for reporting this and for having a reproducer!

It looks like this is "failing safe", in the sense that the bug causes
an exec of a setuid binary to not actually change the euid. Is that an
accurate understanding here?

Yes, that is correct.

This patch sort of fixes this by setting a process flag to the parent
process during the time this race is possible. Thus, if a process is
forking, it counts an extra user fo the fs_struct as the counter might be
incremented before the thread is visible. But this is not great as this
could generate the opposite problem as there may be an external process
sharing the fs_struct that is masked by some thread that is being counted
twice. I submit this patch just as an idea but mainly I want to introduce
this issue and see if someone comes up with a better solution.

I'll want to spend some more time studying this race, but yes, it looks
like it should get fixed. I'm curious, though, how did you find this
problem? It seems quite unusual to have a high-load heavily threaded
process decide to exec.

It was reported to Canonical by a customer. I don't know exactly the circumstances where they see this problem occur in production.

Thanks
Jorge

Next message: kernel test robot: "[ardb:for-kernelci 17/21] efi.c:undefined reference to `phys_initrd_start'"
Previous message: Richard Weinberger: "Re: [PATCH V3 04/11] um: Improve panic notifiers consistency and ordering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]