Bug ID 1221867
Summary Can read /proc/pid/exe but test -r /proc/pid/exe fails
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Kernel
Assignee kernel-bugs@opensuse.org
Reporter tdevries@suse.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

Consider the following script:
...
$ cat try.sh
#!/bin/sh

kill -9 $(pidof mysleep) 2> /dev/null

cp /usr/bin/sleep mysleep
md5sum mysleep
./mysleep 10000 &

(
    sleep 1
    pid=$(pidof mysleep)
    echo "PID: $pid"
    test -r /proc/$pid/exe
    echo $?
    md5sum /proc/$pid/exe
    kill -9 $(pidof mysleep) 2> /dev/null
)
...

If we run it, we get:
...
$ ./try.sh
6a85b2e53dce34ce2c35129b5b20c50b  mysleep
PID: 4462
0
6a85b2e53dce34ce2c35129b5b20c50b  /proc/4462/exe
...

So:
- we copy sleep, calculate its md5sum, run it, and get the pid
- we check if we can read /proc/$pid/exe
- we calculate the md5sum of /proc/$pid/exe
and we find that:
- we can read /proc/$pid/exe, and 
- we are able to calculate the same md5sum for /proc/$pid/exe.

Now consider:
...
$ cat ./try2.sh
#!/bin/sh

sudo \
    -E \
    capsh \
    --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_sys_ptrace+eip" \
    --keep=1 \
    --user=$USER \
    --addamb="cap_sys_ptrace" \
    --shell=./try.sh --
...

This time, we get:
...
$ ./try2.sh
[sudo] password for root: 
6a85b2e53dce34ce2c35129b5b20c50b  mysleep
PID: 4536
1
6a85b2e53dce34ce2c35129b5b20c50b  /proc/4536/exe
...

So, this seems contradictory:
- according to test -r, we cannot read /proc/$pid/exe
- but according to md5sum, we can read /proc/$pid/exe

This hit in gdb ( https://sourceware.org/bugzilla/show_bug.cgi?id=31528 ),
where we decide not to try to open /proc/$pid/exe to get the symbols of an exec
we've attached to, because first access(..., R_OK) is called to determine
whether gdb can open it, which replies no.  If we skip the access check, we're
able to read the symbols and the test-case passes.

However, there's the possibility that this is a kernel bug:
- if access is supposed to be unavailable, but in fact it is, it looks like a
  bug to me
- if access is supposed to be available, but we don't advertise that through
  access, it might be a bug, or it might be an inconvenience that ideally would
  be documented.

I came across https://bugzilla.kernel.org/show_bug.cgi?id=211593 , which I
think comes from https://bugzilla.suse.com/show_bug.cgi?id=1216352 , which are
probably related.

From what I understand from reading those two PRs, I probably need to fix gdb
to avoid using readlink for /proc/$pid/exe.

Regardless, I would like to understand if I stumbled upon a kernel bug and
whether it needs filing/fixing upstream in some form or another.

This is with opensuse leap 15.4, with a recent kernel:
...
$ uname -a
Linux xerxes 6.8.1-lp155.4.gd922afa-default #1 SMP PREEMPT_DYNAMIC Tue Mar 19
07:32:20 UTC 2024 (d922afa) x86_64 x86_64 x86_64 GNU/Linux
...

You are receiving this mail because: