lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 5 Nov 2013 13:06:23 -0500 (EST)
From:	Vince Weaver <vincent.weaver@...ne.edu>
To:	Ingo Molnar <mingo@...nel.org>
cc:	Vince Weaver <vincent.weaver@...ne.edu>,
	linux-kernel@...r.kernel.org, Steven Rostedt <rostedt@...dmis.org>,
	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...hat.com>,
	Arnaldo Carvalho de Melo <acme@...stprotocols.net>,
	Dave Jones <davej@...hat.com>,
	Frederic Weisbecker <fweisbec@...il.com>,
	Jiri Olsa <jolsa@...hat.com>
Subject: Re: perf/ftrace lockup on 3.12-rc6 with trigger code


short summary: the check for root-only ftrace use is wrong


OK, so after wasting a lot of time on this, the underlying bug is just
that with the settings chosen by the fuzzer, the kernel gets stuck.
The function tracer keeps the CPU busy until interrupted by an interrupt, 
which is then traced, but then another interrupt comes, etc, etc, and the 
code never makes progress outside of the kernel.

So I was going to make the argument that this interface should be made 
root only, because it is too easy for a regular user to trigger this and
DoS a machine.

But I did some digging, and the initial commit for 3.4 had this:

commit ced39002f5ea736b716ae233fb68b26d59783912
Author: Jiri Olsa <jolsa@...hat.com>
Date:   Wed Feb 15 15:51:52 2012 +0100

....

diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c
index d72af0b..fdeeb5c 100644
--- a/kernel/trace/trace_event_perf.c
+++ b/kernel/trace/trace_event_perf.c
@@ -24,6 +24,11 @@ static int   total_ref_count;
 static int perf_trace_event_perm(struct ftrace_event_call *tp_event,
                                 struct perf_event *p_event)
 {
+       /* The ftrace function trace is allowed only for root. */
+       if (ftrace_event_is_function(tp_event) &&
+           perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
+               return -EPERM;
+

The intention was to only allow root, but the check is wrong.

The poorly named
	perf_paranoid_kernel()

does

static inline bool perf_paranoid_kernel(void)
{
         return sysctl_perf_event_paranoid > 1;
}

But the "default" setting for paranoid is "1" (user and kernel access 
allowed).

So the ftrace check never triggers EPERM unless someone has configured 
paranoid to be the higher "2" value (user perf use only).

So this check should be fixed and propogated to stable and this bug that 
keeps crashing all the fuzzers will become a much less critical "root 
only" bug.

Vince
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ