Re: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access()

From: Oleg Nesterov
Date: Thu May 30 2019 - 08:38:34 EST

Next message: Hans de Goede: "Re: [PATCH] iio: accel: add missing sensor for some 2-in-1 based ultrabooks"
Previous message: Christian Brauner: "Re: [PATCH] samples: pidfd: Fix compile error seen if __NR_pidfd_send_signal is undefined"
In reply to: Kees Cook: "Re: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access()"
Next in thread: Jann Horn: "Re: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/29, Jann Horn wrote:
>
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -450,6 +450,15 @@ int commit_creds(struct cred *new)
> if (task->mm)
> set_dumpable(task->mm, suid_dumpable);
> task->pdeath_signal = 0;
> + /*
> + * If a task drops privileges and becomes nondumpable,
> + * the dumpability change must become visible before
> + * the credential change; otherwise, a __ptrace_may_access()
> + * racing with this change may be able to attach to a task it
> + * shouldn't be able to attach to (as if the task had dropped
> + * privileges without becoming nondumpable).
> + * Pairs with a read barrier in __ptrace_may_access().
> + */
> smp_wmb();

Hmm. Now that I tried to actually read this patch I do not understand this wmb().

commit_creds() does rcu_assign_pointer(real_cred) which implies smp_store_release(),
the dumpability change must be visible before ->real_cred is updated without any
additional barriers?

Oleg.

Next message: Hans de Goede: "Re: [PATCH] iio: accel: add missing sensor for some 2-in-1 based ultrabooks"
Previous message: Christian Brauner: "Re: [PATCH] samples: pidfd: Fix compile error seen if __NR_pidfd_send_signal is undefined"
In reply to: Kees Cook: "Re: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access()"
Next in thread: Jann Horn: "Re: [PATCH] ptrace: restore smp_rmb() in __ptrace_may_access()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]