Re: [PATCH v2] proc: fix races against execve() of /proc/PID/fd**

From: Vasiliy Kulikov
Date: Sat Aug 27 2011 - 15:09:00 EST

Next message: Florian Tobias Schandinat: "[PATCH] MAINTAINERS: change framebuffer maintainer"
Previous message: Ian Molton: "Re: [PATCH] mmc: tmio: eliminate unused variable 'mmc' warning"
In reply to: Vasiliy Kulikov: "[PATCH v2] proc: fix races against execve() of /proc/PID/fd**"
Next in thread: Cyrill Gorcunov: "Re: [PATCH v2] proc: fix races against execve() of /proc/PID/fd**"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Aug 27, 2011 at 23:01 +0400, Vasiliy Kulikov wrote:
> fd* files are restricted to the task's owner, and other users may not
> get direct access to them. But one may open any of these files and run
> any setuid program, keeping opened file descriptors. As there are
> permission checks on open(), but not on stat(), readdir(), and read(),
> operations on the kept file descriptors will not be checked. It makes
> it possible to violate procfs permission model.
>
> Reading fdinfo/* may disclosure current fds' position and flags, reading
> directory contents of fdinfo/ and fd/ may disclosure the number of opened
> files by the target task. This information is not sensible per se, but
> it can reveal some private information (like length of a password stored in
> a file) under certain conditions.
>
> Used existing (un)lock_trace functions to check for ptrace_may_access(),
> but instead of using EPERM return code from it use EACCES to be
> consistent with existing proc_pid_follow_link()/proc_pid_readlink()
> return codes. If they'd differ, attacker can guess what fds exist by
> analyzing stat() return code. Patched handlers: stat() for fd/*, stat()
> and read() for fdindo/*, readdir() and lookup() for fd/ and fdinfo/.
>
> v2 - Rebased to v3.1-rc3.
> - Handle stat() case.
>
> CC: Stable Tree <stable@xxxxxxxxxx>
> Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
> ---
...
> @@ -2187,6 +2243,7 @@ static int proc_fd_permission(struct inode *inode, int mask)
> /*
> * proc directories can do almost nothing..
> */
> +
> static const struct inode_operations proc_fd_inode_operations = {
> .lookup = proc_lookupfd,
> .permission = proc_fd_permission,

Oops, odd blank line. Andrew, should I resend the patch to fix it?

Thanks,

--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Florian Tobias Schandinat: "[PATCH] MAINTAINERS: change framebuffer maintainer"
Previous message: Ian Molton: "Re: [PATCH] mmc: tmio: eliminate unused variable 'mmc' warning"
In reply to: Vasiliy Kulikov: "[PATCH v2] proc: fix races against execve() of /proc/PID/fd**"
Next in thread: Cyrill Gorcunov: "Re: [PATCH v2] proc: fix races against execve() of /proc/PID/fd**"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]