[security]: kernel ioctl()'s

Chris Evans (chris@ferret.lmh.ox.ac.uk)
Thu, 1 Jul 1999 20:36:56 +0100 (GMT)


I've started looking at what damage a user can cause with ioctl() - a
disgusting sprawling kernel interface if ever I saw one :-)

My first "find" is FIBMAP, an ioctl available on regular files. FIBMAP
will happily pass out of range blocks to lower level filesystems. In the
case of ext2, a user can easily get the kernel to emit copious
ext2_warning messages. Hardly an ideal situation. As a rule kernel printk
warnings should be used for ASSERT events not "any user can cause at will"

I didn't audit how other filesystems behave when passed random block
indexes but I guarantee some of them won't be happy.

In fact, the program below, operating on a 0 length file, rendered my
machine useless as a non-root user. Note however that this is kernel
2.2.5, so the actual crash could well have been due to the sheer volume of
printk()'s triggering a race in printk() and/or the console driver. Takes
30s or so to get going :-)

Is FIBMAP used by anything? It would seem to me to be offering users
read access to internal filesystem structures - and as such should be
restricted to root (CAP_SYS_ADMIN or something).


#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ioctl.h>

#include <linux/fs.h>

main(int argc, char* const argv[])
int fd;
int block;

fd = open("testfile", O_RDWR);

for (block = 0; block < 1024*1024*1024; block++)
int val = block;
ioctl(fd, FIBMAP, &val);

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/