Quoting Kees Cook ([email protected]): > On Wed, Nov 29, 2017 at 10:20 AM, Serge E. Hallyn <[email protected]> wrote: > > Quoting Kees Cook ([email protected]): > >> While the defense-in-depth RLIMIT_STACK limit on setuid processes was > >> protected against races from other threads calling setrlimit(), I missed > >> protecting it against races from external processes calling prlimit(). > >> This adds locking around the change and makes sure that rlim_max is set > >> too. > >> > >> Reported-by: Ben Hutchings <[email protected]> > >> Reported-by: Brad Spengler <[email protected]> > >> Fixes: 64701dee4178e ("exec: Use sane stack rlimit under secureexec") > >> Cc: [email protected] > >> Cc: James Morris <[email protected]> > >> Cc: Serge Hallyn <[email protected]> > > > > Acked-by: Serge Hallyn <[email protected]> > > Thanks! > > > > > The only thing i'm wondering is in do_prlimit(): > > > > . 1480 if (new_rlim) { > > . 1481 if (new_rlim->rlim_cur > new_rlim->rlim_max) > > . 1482 return -EINVAL; > > > > that bit is done not under the lock. Does that still allow a > > race, if this check is done before the below block, and then the > > rest proceeds after? > > > > I *think* not, because later in do_prlimit() it will return -EPERM if > > > > . 1500 if (new_rlim->rlim_max > rlim->rlim_max && > > . 1501 !capable(CAP_SYS_RESOURCE)) > > > > Although rlim is gathered before the lock, but that is a struct * > > so should be ok? > > I stared at this for a while too. I think it's okay because the max is > checked under the lock, so the max can't be raced to be raised. The > cur value could get raced, though, but I don't think that's a problem, > since it's the "soft" limit.
Oh, right, and so if soft > hard that will just end up ignored... ok.
