Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completingasync USB via usbdevio

[Pete Zaitcev]

On Tue, 27 Sep 2005 17:58:00 +0100, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
> On Maw, 2005-09-27 at 09:09 -0700, Linus Torvalds wrote:

> > > root-owned), then the urb completes, and kill_proc_info() sends the
> > > signal to the unsuspecting process.
> > 
> > Ehh.. pid's don't get re-used until they wrap.
> 
> Which doesn't take very long to arrange. Relying on pids is definitely a
> security problem we don't want to make worse than it already is. 

The whole application cannot exit and leave URBs running behind,
because usbdevio_release() blocks until they are terminated.
Only separate threads can exit.

So, the only thing a malicious user can do is something like this:
 - open /proc/bus/usb/BUS/DEV
 - submit URB
 - fork
 - exit parent thread
 - wait in the child until PIDs wrap very close to former parent
 - exit and hope that someone forks while the exit is processing

Right? But if so, why don't we do something like this:

submit_urb()
   as->pid = current->pid;
   as->tgid = current->tgid;
.....
async_complete()
   __kill_same_process(as->pid, as->tgid);

/* DO NOT USE IN DRIVERS (other than USB core) */
__kill_same_process(pid_t pid, pid_t tgid) {
   task_struct *we, *maybe_parent;
   lock(&tasklist_lock);
   we = find_task_by_pid(pid);
   maybe_parent = find_task_by_tgid(pid);
   if (maybe_parent != NULL && we->parent == maybe_parent)
      send_sig_info(sig, info, we);
   unlock(&tasklist_lock);
}

This does not need to check any IDs, I think. Then we do not have to
ponder if effective or real is more appropriate, and if any sort of
new-fanged security thingies like capabilities apply.

-- Pete
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/