| Message ID | 20180827174722.3723-4-jlayton@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | exec: fix passing of file locks across execve in multithreaded processes | expand |
On Mon, 2018-08-27 at 13:47 -0400, Jeff Layton wrote: > POSIX mandates that open fds and their associated file locks should be > preserved across an execve. This works, unless the process is > multithreaded at the time that execve is called. > > In that case, we'll end up unsharing the files_struct but the locks will > still have their fl_owner set to the address of the old one. Eventually, > when the other threads die and the last reference to the old > files_struct is put, any POSIX locks get torn down since it looks like > a close occurred on them. > > The result is that all of your open files will be intact with none of > the locks you held before execve. The simple answer to this is "use OFD > locks", but this is a nasty surprise and it violates the spec. > > Fix this by doing unshare_files later during exec, after we've already > killed off the other threads in the process. This helps ensure that we > only unshare the files_struct during exec when it is truly shared with > other processes. > > Note that because the unshare_files call is now done just after > de_thread, we need a mechanism to pass the displaced files_struct back > up to __do_execve_file. This is done via a new displaced_files field > inside the linux_binprm. > > Cc: Eric W. Biederman <ebiederm@xmission.com> > Reported-by: Daniel P. BerrangĂ© <berrange@redhat.com> > Signed-off-by: Jeff Layton <jlayton@kernel.org> > --- > fs/exec.c | 19 +++++++++---------- > include/linux/binfmts.h | 1 + > 2 files changed, 10 insertions(+), 10 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index ca25f805ebad..a45b0cae5817 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1262,6 +1262,10 @@ int flush_old_exec(struct linux_binprm * bprm) > if (retval) > goto out; > > + retval = unshare_files(&bprm->displaced_files); > + if (retval) > + goto out; > + > /* > * Must be called _before_ exec_mmap() as bprm->mm is > * not visibile until then. This also enables the update > @@ -1712,8 +1716,7 @@ static int __do_execve_file(int fd, struct filename *filename, > int flags, struct file *file) > { > char *pathbuf = NULL; > - struct linux_binprm *bprm; > - struct files_struct *displaced; > + struct linux_binprm *bprm = NULL; > int retval; > > if (IS_ERR(filename)) > @@ -1735,10 +1738,6 @@ static int __do_execve_file(int fd, struct filename *filename, > * further execve() calls fail. */ > current->flags &= ~PF_NPROC_EXCEEDED; > > - retval = unshare_files(&displaced); > - if (retval) > - goto out_ret; > - > retval = -ENOMEM; > bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); > if (!bprm) > @@ -1831,8 +1830,8 @@ static int __do_execve_file(int fd, struct filename *filename, > kfree(pathbuf); > if (filename) > putname(filename); > - if (displaced) { > - put_files_struct(displaced); > + if (bprm->displaced_files) { > + put_files_struct(bprm->displaced_files); Note that this is broken (bprm is freed above this point). It's simple enough to fix, but I'll hold off on resending until I hear some feedback on the general approach. > } else { > spin_lock(¤t->files->file_lock); > current->files->in_exec = false; > @@ -1855,8 +1854,8 @@ static int __do_execve_file(int fd, struct filename *filename, > kfree(pathbuf); > > out_files: > - if (displaced) { > - reset_files_struct(displaced); > + if (bprm && bprm->displaced_files) { > + reset_files_struct(bprm->displaced_files); > } else { > spin_lock(¤t->files->file_lock); > current->files->in_exec = false; > diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h > index c05f24fac4f6..d7ec384bb1b0 100644 > --- a/include/linux/binfmts.h > +++ b/include/linux/binfmts.h > @@ -49,6 +49,7 @@ struct linux_binprm { > unsigned int taso:1; > #endif > unsigned int recursion_depth; /* only for search_binary_handler() */ > + struct files_struct * displaced_files; > struct file * file; > struct cred *cred; /* new credentials */ > int unsafe; /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
diff --git a/fs/exec.c b/fs/exec.c index ca25f805ebad..a45b0cae5817 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1262,6 +1262,10 @@ int flush_old_exec(struct linux_binprm * bprm) if (retval) goto out; + retval = unshare_files(&bprm->displaced_files); + if (retval) + goto out; + /* * Must be called _before_ exec_mmap() as bprm->mm is * not visibile until then. This also enables the update @@ -1712,8 +1716,7 @@ static int __do_execve_file(int fd, struct filename *filename, int flags, struct file *file) { char *pathbuf = NULL; - struct linux_binprm *bprm; - struct files_struct *displaced; + struct linux_binprm *bprm = NULL; int retval; if (IS_ERR(filename)) @@ -1735,10 +1738,6 @@ static int __do_execve_file(int fd, struct filename *filename, * further execve() calls fail. */ current->flags &= ~PF_NPROC_EXCEEDED; - retval = unshare_files(&displaced); - if (retval) - goto out_ret; - retval = -ENOMEM; bprm = kzalloc(sizeof(*bprm), GFP_KERNEL); if (!bprm) @@ -1831,8 +1830,8 @@ static int __do_execve_file(int fd, struct filename *filename, kfree(pathbuf); if (filename) putname(filename); - if (displaced) { - put_files_struct(displaced); + if (bprm->displaced_files) { + put_files_struct(bprm->displaced_files); } else { spin_lock(¤t->files->file_lock); current->files->in_exec = false; @@ -1855,8 +1854,8 @@ static int __do_execve_file(int fd, struct filename *filename, kfree(pathbuf); out_files: - if (displaced) { - reset_files_struct(displaced); + if (bprm && bprm->displaced_files) { + reset_files_struct(bprm->displaced_files); } else { spin_lock(¤t->files->file_lock); current->files->in_exec = false; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index c05f24fac4f6..d7ec384bb1b0 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -49,6 +49,7 @@ struct linux_binprm { unsigned int taso:1; #endif unsigned int recursion_depth; /* only for search_binary_handler() */ + struct files_struct * displaced_files; struct file * file; struct cred *cred; /* new credentials */ int unsafe; /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
POSIX mandates that open fds and their associated file locks should be preserved across an execve. This works, unless the process is multithreaded at the time that execve is called. In that case, we'll end up unsharing the files_struct but the locks will still have their fl_owner set to the address of the old one. Eventually, when the other threads die and the last reference to the old files_struct is put, any POSIX locks get torn down since it looks like a close occurred on them. The result is that all of your open files will be intact with none of the locks you held before execve. The simple answer to this is "use OFD locks", but this is a nasty surprise and it violates the spec. Fix this by doing unshare_files later during exec, after we've already killed off the other threads in the process. This helps ensure that we only unshare the files_struct during exec when it is truly shared with other processes. Note that because the unshare_files call is now done just after de_thread, we need a mechanism to pass the displaced files_struct back up to __do_execve_file. This is done via a new displaced_files field inside the linux_binprm. Cc: Eric W. Biederman <ebiederm@xmission.com> Reported-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> --- fs/exec.c | 19 +++++++++---------- include/linux/binfmts.h | 1 + 2 files changed, 10 insertions(+), 10 deletions(-)