Re: [PATCH v2 0/4] futex: Drop ROBUST_LIST_LIMIT

From: Peter Zijlstra
Date: Mon Feb 03 2025 - 08:35:18 EST

Next message: Arnd Bergmann: "Re: [PATCH] iomap: Fix -Wmissing-prototypes on UM"
Previous message: Alisa-Dariana Roman: "[PATCH v4 3/3] docs: iio: add AD7191"
In reply to: André Almeida: "Re: [PATCH v2 0/4] futex: Drop ROBUST_LIST_LIMIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 28, 2025 at 09:35:26PM +0100, Florian Weimer wrote:

> >> Doesn't this turn a robust mutex overwrite or a TCB overwrite into a
> >> write-anything-anywhere primitive?
> >
> > The robust list is meant to be a private resource, per-process, and
> > this patch only rewrites it after the process exits, so I believe that
> > any changes done in this memory should be safe given that the process
> > will soon disappear anyway, right?
>
> At least in the glibc implementation, we let the kernel handle robust
> mutex notification on thread exit, and that's observable.
>
> Beyond that, process-shared robust mutexes exist, too, and those updates
> will be observable, too.

AFAICT we don't allow writing anywhere we couldn't already. The process
shared things should be in shared memory, something we can already write
to.

Notably, the kernel doesn't change address space while walking the
robust list (the robust list doesn't even contain enough information to
do this, even if we wanted to), it can only write to things the dying
task could already write to.

So I don't think there is a security angle here. Yes userspace can shoot
itself in the foot with this, but what else is new.

Next message: Arnd Bergmann: "Re: [PATCH] iomap: Fix -Wmissing-prototypes on UM"
Previous message: Alisa-Dariana Roman: "[PATCH v4 3/3] docs: iio: add AD7191"
In reply to: André Almeida: "Re: [PATCH v2 0/4] futex: Drop ROBUST_LIST_LIMIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]