|
Message-ID: <66946BDB.4070709@gmail.com> Date: Sun, 14 Jul 2024 19:22:51 -0500 From: Jacob Bachmeyer <jcb62281@...il.com> To: oss-security@...ts.openwall.com Subject: Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso wrote: > [...] > > Some findings: > . I note that the mentioned files are writable by only root (and > i would assume MAP_DENYWRITE to only work if i could do so > myself). > I believe that most executables are writable only by root, but available to unprivileged users. Since the purpose of MAP_DENYWRITE seems to have been ensuring that executables cannot change out from underneath running programs, it would need to work when unprivileged users map the file; thus the DoS problem. > . Capabilities have become more fine-grained. > . I always whimper when i have to rm(1) a running executable before > placing an updated variant on Linux, on BSDs i simply over-cp(1) > (and i do not understand as long as one gets either the one or > the other when executing the path). > Simple solution: - write the new executable under a temporary name - use link(2) to create a new name for the existing executable - use rename(2) to atomically replace the existing executable - use unlink(2) to remove the old version after any needed checks You can dispense with link(2) and unlink(2) if you do not want to preserve a backup of the old executable. Using this method will change the executable's inode number (meaning that it really is a different file) and that means that the old version can remain on disk for as long as it remains in use, even after its last name has been removed. -- Jacob
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.