Re: Possible security hole? [was: verify_area(...) possible problem]

Andi Kleen (ak@muc.de)
Mon, 19 Apr 1999 19:54:27 +0200


On Sat, Apr 17, 1999 at 05:17:49PM +0200, Ralf Baechle wrote:
> On Sat, Apr 17, 1999 at 12:43:45AM +0200, Jamie Lokier wrote:
>
> > Andi, nice thinking.
> >
> > Can this (the current behaviour) be a security hole?
> > I'm thinking that two cloned threads could, on an i386 with the
> > broken WP protection:
> >
> > (a) read a file to hack to bring it into cache, e.g. /bin/su
> > (b) does a shared writable mapping of some writable file that is not in cache
> > (use your imagination)
> > (c) thread #2 spins checking a flag
> > (d) thread #1 writes the flag and then writes to the writable mapping
> > (e) thread #1 blocks to pull in the page
> > (f) thread #2 sees the flag and maps /bin/su into place (read only)
> > (g) the page comes in though the mapping is no longer present
> > (h) thread #1 unblocks and overwrites a page of /bin/su
> > (i) run /bin/su, get root with no password check, H940R D00D2 R001
> > --> there isn't even any evidence on disk
> >
> > This will not happen if, when thread #1 blocks, the remapping is blocked
> > by a lock. But I'm not sure, is it? I don't have an i386 to try it on.
>
> This is a known problem, it is pretty much similar to what happened under 2.0
> for all all architectures, not just the i386 and one of reasons for the new
> user space access stuff introduced from 2.1.4 on. Now that only the 386 is still
> affected just nobody bothered because on the 386 there are other funnies left
> which may make running a system used by possibly hostile users a bad idea.

s/386/some very early stepping 386, which are only a small fraction
of the existing 386ers/.

So it is really not a big problem.

-Andi

-- 
This is like TV. I don't like TV.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/