Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)

From: Al Viro
Date: Thu Mar 20 2025 - 21:44:43 EST

Next message: zhenglifeng (A): "Re: [PATCH v5 3/8] ACPI: CPPC: Rename cppc_get_perf() to cppc_get_reg_val()"
Previous message: Greg KH: "Re: [PATCH v2 1/4] rust: device: implement Device::parent()"
In reply to: Kees Cook: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Next in thread: Kees Cook: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 20, 2025 at 01:09:38PM -0700, Kees Cook wrote:

> What I can imagine here is two failing execs racing a fork:
>
> A start execve
> B fork with CLONE_FS
> C start execve, reach check_unsafe_exec(), set fs->in_exec
> A bprm_execve() failure, clear fs->in_exec
> B copy_fs() increment fs->users.
> C bprm_execve() failure, clear fs->in_exec
>
> But I don't think this is a "real" flaw, though, since the locking is to
> protect a _successful_ execve from a fork (i.e. getting the user count
> right). A successful execve will de_thread, and I don't see any wrong
> counting of fs->users with regard to thread lifetime.
>
> Did I miss something in the analysis? Should we perform locking anyway,
> or add data race annotations, or something else?

Umm... What if C succeeds, ending up with suid sharing ->fs?

Next message: zhenglifeng (A): "Re: [PATCH v5 3/8] ACPI: CPPC: Rename cppc_get_perf() to cppc_get_reg_val()"
Previous message: Greg KH: "Re: [PATCH v2 1/4] rust: device: implement Device::parent()"
In reply to: Kees Cook: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Next in thread: Kees Cook: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]