Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.00.1109271117200.17876@chino.kir.corp.google.com>
Date: Tue, 27 Sep 2011 11:21:22 -0700 (PDT)
From: David Rientjes <rientjes@...gle.com>
To: Vasiliy Kulikov <segoon@...nwall.com>
cc: kernel-hardening@...ts.openwall.com,
        Christoph Lameter <cl@...ux-foundation.org>,
        Pekka Enberg <penberg@...nel.org>, Matt Mackall <mpm@...enic.com>,
        linux-mm@...ck.org, Kees Cook <kees@...ntu.com>,
        Dave Hansen <dave@...ux.vnet.ibm.com>, Valdis.Kletnieks@...edu,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Alan Cox <alan@...ux.intel.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] mm: restrict access to slab files under procfs and
 sysfs

On Tue, 27 Sep 2011, Vasiliy Kulikov wrote:

> Historically /proc/slabinfo and files under /sys/kernel/slab/* have
> world read permissions and are accessible to the world.  slabinfo
> contains rather private information related both to the kernel and
> userspace tasks.  Depending on the situation, it might reveal either
> private information per se or information useful to make another
> targeted attack.  Some examples of what can be learned by
> reading/watching for /proc/slabinfo entries:
> 
> 1) dentry (and different *inode*) number might reveal other processes fs
> activity.  The number of dentry "active objects" doesn't strictly show
> file count opened/touched by a process, however, there is a good
> correlation between them.  The patch "proc: force dcache drop on
> unauthorized access" relies on the privacy of dentry count.
> 
> 2) different inode entries might reveal the same information as (1), but
> these are more fine granted counters.  If a filesystem is mounted in a
> private mount point (or even a private namespace) and fs type differs from
> other mounted fs types, fs activity in this mount point/namespace is
> revealed.  If there is a single ecryptfs mount point, the whole fs
> activity of a single user is revealed.  Number of files in ecryptfs
> mount point is a private information per se.
> 
> 3) fuse_* reveals number of files / fs activity of a user in a user
> private mount point.  It is approx. the same severity as ecryptfs
> infoleak in (2).
> 
> 4) sysfs_dir_cache similar to (2) reveals devices' addition/removal,
> which can be otherwise hidden by "chmod 0700 /sys/".  With 0444 slabinfo
> the precise number of sysfs files is known to the world.
> 
> 5) buffer_head might reveal some kernel activity.  With other
> information leaks an attacker might identify what specific kernel
> routines generate buffer_head activity.
> 
> 6) *kmalloc* infoleaks are very situational.  Attacker should watch for
> the specific kmalloc size entry and filter the noise related to the unrelated
> kernel activity.  If an attacker has relatively silent victim system, he
> might get rather precise counters.
> 
> Additional information sources might significantly increase the slabinfo
> infoleak benefits.  E.g. if an attacker knows that the processes
> activity on the system is very low (only core daemons like syslog and
> cron), he may run setxid binaries / trigger local daemon activity /
> trigger network services activity / await sporadic cron jobs activity
> / etc. and get rather precise counters for fs and network activity of
> these privileged tasks, which is unknown otherwise.
> 
> 
> Also hiding slabinfo and /sys/kernel/slab/* is a one step to complicate
> exploitation of kernel heap overflows (and possibly, other bugs).  The
> related discussion:
> 
> http://thread.gmane.org/gmane.linux.kernel/1108378
> 
> 
> To keep compatibility with old permission model where non-root
> monitoring daemon could watch for kernel memleaks though slabinfo one
> should do:
> 
>     groupadd slabinfo
>     usermod -a -G slabinfo $MONITOR_USER
> 
> And add the following commands to init scripts (to mountall.conf in
> Ubuntu's upstart case):
> 
>     chmod g+r /proc/slabinfo /sys/kernel/slab/*/*
>     chgrp slabinfo /proc/slabinfo /sys/kernel/slab/*/*
> 
> Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>
> Reviewed-by: Kees Cook <kees@...ntu.com>
> Reviewed-by: Dave Hansen <dave@...ux.vnet.ibm.com>
> CC: Christoph Lameter <cl@...two.org>
> CC: Pekka Enberg <penberg@...helsinki.fi>
> CC: Valdis.Kletnieks@...edu
> CC: Linus Torvalds <torvalds@...ux-foundation.org>
> CC: David Rientjes <rientjes@...gle.com>
> CC: Alan Cox <alan@...ux.intel.com>

Acked-by: David Rientjes <rientjes@...gle.com>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.