|
Message-ID: <20110715063801.GC3166@albatros> Date: Fri, 15 Jul 2011 10:38:01 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org> Cc: linux-kernel@...r.kernel.org, viro@...iv.linux.org.uk, rientjes@...gle.com, wilsons@...rt.ca, security@...nel.org, kernel-hardening@...ts.openwall.com Subject: Re: [PATCH v3] proc: fix a race in do_io_accounting() Hi Linus, On Wed, Jul 06, 2011 at 20:34 +0400, Vasiliy Kulikov wrote: > If inode's mode permits to open /proc/PID/io and the resulted file > descriptor is kept across execve() of setuid or similar binary, the > ptrace_may_access() check tries to prevent using this fd against the > task with escalated privileges. Unfortunately, there is a race of the > check against execve(). If execve() is processed after the ptrace > check, but before the actual io information gathering, io statistics > will be gathered from the privileged process. At least in theory this > might lead to gathering sensible information (like ssh/ftp password > length) that wouldn't be available otherwise. > > Holding task->signal->cred_guard_mutex while gathering the io > information should protect against the race. > > The order of locking is similar to the one inside of > ptrace_attach(): first goes cred_guard_mutex, then lock_task_sighand(). Any problems with the patch? > v3 - better description. > v2 - use mutex_lock_killable() instead of mutex_lock(). > > Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com> > Cc: stable@...nel.org > --- > fs/proc/base.c | 16 +++++++++++++--- > 1 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 083a4f2..4b9f159 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2711,9 +2711,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) > { > struct task_io_accounting acct = task->ioac; > unsigned long flags; > + int result; > > - if (!ptrace_may_access(task, PTRACE_MODE_READ)) > - return -EACCES; > + result = mutex_lock_killable(&task->signal->cred_guard_mutex); > + if (result) > + return result; > + > + if (!ptrace_may_access(task, PTRACE_MODE_READ)) { > + result = -EACCES; > + goto out_unlock; > + } > > if (whole && lock_task_sighand(task, &flags)) { > struct task_struct *t = task; > @@ -2724,7 +2731,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) > > unlock_task_sighand(task, &flags); > } > - return sprintf(buffer, > + result = sprintf(buffer, > "rchar: %llu\n" > "wchar: %llu\n" > "syscr: %llu\n" > @@ -2739,6 +2746,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) > (unsigned long long)acct.read_bytes, > (unsigned long long)acct.write_bytes, > (unsigned long long)acct.cancelled_write_bytes); > +out_unlock: > + mutex_unlock(&task->signal->cred_guard_mutex); > + return result; > } > > static int proc_tid_io_accounting(struct task_struct *task, char *buffer) > -- > 1.7.0.4 > -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.