mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: "André Almeida" <andrealmeid@igalia.com>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Darren Hart" <dvhart@infradead.org>,
	"Davidlohr Bueso" <dave@stgolabs.net>,
	"Arnd Bergmann" <arnd@arndb.de>,
	linux-kernel@vger.kernel.org, kernel-dev@igalia.com,
	"Vinicius Peixoto" <vpeixoto@lkcamp.dev>
Subject: Re: [PATCH v2 0/4] futex: Drop ROBUST_LIST_LIMIT
Date: Mon, 3 Feb 2025 14:34:01 +0100	[thread overview]
Message-ID: <20250203133401.GF14028@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <874j1iismp.fsf@oldenburg.str.redhat.com>

On Tue, Jan 28, 2025 at 09:35:26PM +0100, Florian Weimer wrote:

> >> Doesn't this turn a robust mutex overwrite or a TCB overwrite into a
> >> write-anything-anywhere primitive?
> >
> > The robust list is meant to be a private resource, per-process, and
> > this patch only rewrites it after the process exits, so I believe that
> > any changes done in this memory should be safe given that the process
> > will soon disappear anyway, right?
> 
> At least in the glibc implementation, we let the kernel handle robust
> mutex notification on thread exit, and that's observable.
> 
> Beyond that, process-shared robust mutexes exist, too, and those updates
> will be observable, too.

AFAICT we don't allow writing anywhere we couldn't already. The process
shared things should be in shared memory, something we can already write
to.

Notably, the kernel doesn't change address space while walking the
robust list (the robust list doesn't even contain enough information to
do this, even if we wanted to), it can only write to things the dying
task could already write to.

So I don't think there is a security angle here. Yes userspace can shoot
itself in the foot with this, but what else is new.

  reply	other threads:[~2025-02-03 13:34 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-27 20:26 André Almeida
2025-01-27 20:26 ` [PATCH v2 1/4] " André Almeida
2025-01-27 20:26 ` [PATCH v2 2/4] selftests/futex: Add ASSERT_ macros André Almeida
2025-01-27 20:26 ` [PATCH v2 3/4] selftests/futex: Create test for robust list André Almeida
2025-01-27 20:26 ` [PATCH v2 4/4] selftests/futex: Create tests for long and circular robust lists André Almeida
2025-01-28  7:50 ` [PATCH v2 0/4] futex: Drop ROBUST_LIST_LIMIT Florian Weimer
2025-01-28 14:28   ` André Almeida
2025-01-28 20:35     ` Florian Weimer
2025-02-03 13:34       ` Peter Zijlstra [this message]
2025-02-03 13:29   ` Peter Zijlstra
2025-02-03 14:16     ` André Almeida

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250203133401.GF14028@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=andrealmeid@igalia.com \
    --cc=arnd@arndb.de \
    --cc=dave@stgolabs.net \
    --cc=dvhart@infradead.org \
    --cc=fweimer@redhat.com \
    --cc=kernel-dev@igalia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=vpeixoto@lkcamp.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome