|
Message-ID: <20110827190812.GA3804@albatros> Date: Sat, 27 Aug 2011 23:08:12 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: Andrew Morton <akpm@...ux-foundation.org> Cc: kernel-hardening@...ts.openwall.com, Al Viro <viro@...iv.linux.org.uk>, David Rientjes <rientjes@...gle.com>, Stephen Wilson <wilsons@...rt.ca>, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, linux-kernel@...r.kernel.org, security@...nel.org Subject: Re: [PATCH v2] proc: fix races against execve() of /proc/PID/fd** On Sat, Aug 27, 2011 at 23:01 +0400, Vasiliy Kulikov wrote: > fd* files are restricted to the task's owner, and other users may not > get direct access to them. But one may open any of these files and run > any setuid program, keeping opened file descriptors. As there are > permission checks on open(), but not on stat(), readdir(), and read(), > operations on the kept file descriptors will not be checked. It makes > it possible to violate procfs permission model. > > Reading fdinfo/* may disclosure current fds' position and flags, reading > directory contents of fdinfo/ and fd/ may disclosure the number of opened > files by the target task. This information is not sensible per se, but > it can reveal some private information (like length of a password stored in > a file) under certain conditions. > > Used existing (un)lock_trace functions to check for ptrace_may_access(), > but instead of using EPERM return code from it use EACCES to be > consistent with existing proc_pid_follow_link()/proc_pid_readlink() > return codes. If they'd differ, attacker can guess what fds exist by > analyzing stat() return code. Patched handlers: stat() for fd/*, stat() > and read() for fdindo/*, readdir() and lookup() for fd/ and fdinfo/. > > v2 - Rebased to v3.1-rc3. > - Handle stat() case. > > CC: Stable Tree <stable@...nel.org> > Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com> > --- ... > @@ -2187,6 +2243,7 @@ static int proc_fd_permission(struct inode *inode, int mask) > /* > * proc directories can do almost nothing.. > */ > + > static const struct inode_operations proc_fd_inode_operations = { > .lookup = proc_lookupfd, > .permission = proc_fd_permission, Oops, odd blank line. Andrew, should I resend the patch to fix it? Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.