Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completingasync USB via usbdevio

From: Pete Zaitcev
Date: Thu Oct 13 2005 - 18:01:24 EST

On Tue, 27 Sep 2005 17:58:00 +0100, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
> On Maw, 2005-09-27 at 09:09 -0700, Linus Torvalds wrote:

> > > root-owned), then the urb completes, and kill_proc_info() sends the
> > > signal to the unsuspecting process.
> >
> > Ehh.. pid's don't get re-used until they wrap.
> Which doesn't take very long to arrange. Relying on pids is definitely a
> security problem we don't want to make worse than it already is.

The whole application cannot exit and leave URBs running behind,
because usbdevio_release() blocks until they are terminated.
Only separate threads can exit.

So, the only thing a malicious user can do is something like this:
- open /proc/bus/usb/BUS/DEV
- submit URB
- fork
- exit parent thread
- wait in the child until PIDs wrap very close to former parent
- exit and hope that someone forks while the exit is processing

Right? But if so, why don't we do something like this:

as->pid = current->pid;
as->tgid = current->tgid;
__kill_same_process(as->pid, as->tgid);

/* DO NOT USE IN DRIVERS (other than USB core) */
__kill_same_process(pid_t pid, pid_t tgid) {
task_struct *we, *maybe_parent;
we = find_task_by_pid(pid);
maybe_parent = find_task_by_tgid(pid);
if (maybe_parent != NULL && we->parent == maybe_parent)
send_sig_info(sig, info, we);

This does not need to check any IDs, I think. Then we do not have to
ponder if effective or real is more appropriate, and if any sort of
new-fanged security thingies like capabilities apply.

-- Pete
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at