Re: [PATCH v3] proc: fix races against execve() of /proc/PID/fd**

From: Andrew Morton
Date: Mon Aug 29 2011 - 19:01:29 EST

Next message: Andrew Morton: "Re: [PATCH v3] proc: fix races against execve() of /proc/PID/fd**"
Previous message: Stephen Rothwell: "Re: [PATCH] All Arch: remove linkage for sys_nfsservctl system call"
In reply to: Vasiliy Kulikov: "[PATCH v3] proc: fix races against execve() of /proc/PID/fd**"
Next in thread: Andrew Morton: "Re: [PATCH v3] proc: fix races against execve() of /proc/PID/fd**"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 29 Aug 2011 22:00:11 +0400
Vasiliy Kulikov <segoon@xxxxxxxxxxxx> wrote:

> fd* files are restricted to the task's owner, and other users may not
> get direct access to them. But one may open any of these files and run
> any setuid program, keeping opened file descriptors. As there are
> permission checks on open(), but not on readdir() and read(), operations
> on the kept file descriptors will not be checked. It makes it possible
> to violate procfs permission model.
>
> Reading fdinfo/* may disclosure current fds' position and flags, reading
> directory contents of fdinfo/ and fd/ may disclosure the number of opened
> files by the target task. This information is not sensible per se, but
> it can reveal some private information (like length of a password stored in
> a file) under certain conditions.
>
> Used existing (un)lock_trace functions to check for ptrace_may_access(),
> but instead of using EPERM return code from it use EACCES to be
> consistent with existing proc_pid_follow_link()/proc_pid_readlink()
> return code. If they differ, attacker can guess what fds exist by
> analyzing stat() return code. Patched handlers: stat() for fd/*, stat()
> and read() for fdindo/*, readdir() and lookup() for fd/ and fdinfo/.
>
> + rc = -EACCES;
> + if (lock_trace(task))
> + goto out_task;
> +
>
> ...
>
> + rc = -EACCES;
> + if (lock_trace(task))
> + goto out_task;
> +
>
> ...
>
> + result = ERR_PTR(-EACCES);
> + if (lock_trace(task))
> + goto out;
> +
>
> ...
>
> +
> + retval = -EACCES;
> + if (lock_trace(p))
> + goto out;
> +
>
> ...
>

lock_trace() can return -EPERM, and it can return whatever
mutex_lock_killable() returned (-EINTR, perhaps other things?).

The patch simply overwrites this return value with -EACCES. Is this
deliberate and correct? If so, please explain?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [PATCH v3] proc: fix races against execve() of /proc/PID/fd**"
Previous message: Stephen Rothwell: "Re: [PATCH] All Arch: remove linkage for sys_nfsservctl system call"
In reply to: Vasiliy Kulikov: "[PATCH v3] proc: fix races against execve() of /proc/PID/fd**"
Next in thread: Andrew Morton: "Re: [PATCH v3] proc: fix races against execve() of /proc/PID/fd**"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]