lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Dec 2012 10:20:47 -0500 From: Eric Paris <eparis@...hat.com> To: Cyrill Gorcunov <gorcunov@...nvz.org> Cc: Andrew Vagin <avagin@...allels.com>, Andrey Vagin <avagin@...nvz.org>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Serge Hallyn <serge.hallyn@...onical.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, James Morris <jmorris@...ei.org> Subject: Re: [PATCH] prctl: fix validation of an address On Mon, 2012-12-31 at 19:13 +0400, Cyrill Gorcunov wrote: > On Mon, Dec 31, 2012 at 09:27:14AM -0500, Eric Paris wrote: > > On Mon, 2012-12-31 at 14:14 +0400, Andrew Vagin wrote: > > > On Sun, Dec 30, 2012 at 05:03:07PM -0500, Eric Paris wrote: > > > > On Sat, 2012-12-29 at 15:00 +0400, Andrey Vagin wrote: > > > > > The address should be bigger than dac_mmap_min_addr, because > > > > > a process with CAP_RAWIO can map a vma bellow mmap_min_addr. > > > > > > > > NAK > > > > > > Currently prctl(PR_SET_MM_*, addr, ) returns EINVAL for valid addresses. > > > I think it's a bug. Are you agree? > > > > Can you help me understand how prctl(PR_SET_MM_*, relates to > > checkpoint/restore? My worry here is that somehow this interface could > > Here how we use it (from userspace code) > > ret |= sys_prctl_safe(PR_SET_MM, PR_SET_MM_START_CODE, (long)args->mm.mm_start_code, 0); > ret |= sys_prctl_safe(PR_SET_MM, PR_SET_MM_END_CODE, (long)args->mm.mm_end_code, 0); > ... > > the values of mm.mm_start_code and such are saved in image file and obtained > during checkpoint stage. Note the prctl_set_mm requires the caller to have > CAP_SYS_RESOURCE privilege granted. Is there anything which prevents an unpriv application from changing mm.mm_start_code and mm.mm_end_code in the image, thus taking advantage of the privileged restore code to bypass the mmap_min_addr restrictions? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists