lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 4 Feb 2014 15:10:25 -0500
From:	Steven Rostedt <rostedt@...dmis.org>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	LKML <linux-kernel@...r.kernel.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Al Viro <viro@...IV.linux.org.uk>,
	David Smith <dsmith@...hat.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Igor Zhbanov <i.zhbanov@...sung.com>,
	Christoph Hellwig <hch@...radead.org>,
	Paul Menage <menage@...gle.com>,
	David Howells <dhowells@...hat.com>
Subject: Re: [RFC][PATCH] exec: Fix use after free of tracepoint
 trace_sched_process_exec

On Tue, 4 Feb 2014 20:00:07 +0100
Oleg Nesterov <oleg@...hat.com> wrote:

> On 02/04, Steven Rostedt wrote:
> >
> > Now to fix this we need to save the filename before calling
> > search_binary_handler(). But we don't want to save it if we are not
> > tracing. Why slow everyone else down?
> 
> Yes, but it would be much simpler to dup filename unconditionally.

I was hoping not to add more work to exec, for the purpose if tracing
is enabled.

> 
> Note also that in this case we can kill linux_binprm->tcomm[] and
> simplify filename_to_taskname().
> 
> > This works, but is rather ugly.
> 
> Yes ;)
> 
> > Looking for any other suggestions here.
> 
> Perhaps we can change flush_old_exec() to do
> 
> 	if (!current->mm) {
> 		bprm->filename = kstrdup(bprm->filename);
> 		if (bprm->filename)
> 			bprm->filename_was_dupped = true; // for free_bprm()
> 		else
> 			bprm->filename = "//enomem";
> 	}
> 
> This won't penalize the normal exec, and this should fix the problem
> afaics.

Don't forget to add the free. And in any case, we added a branch
conditional. Yes, I'm that anal.

> 
> Perhaps, instead of "//enomem" flush_old_exec() should simply fail,
> in this case we can kill bprm->tcomm[] too.

We could just add "//enomem" to the tracepoint too, and not use tcomm.

Also, I'm working on a patch that gets rid of all the setup of the
static_key and reuses the tracepoint static key instead (suggested by
Peter Zijlstra).

Thus, the change in exec.c would just look like this:


	if (tracepoint_enabled(sched_process_exec)) {
		[...]
	} else
		ret = search_binary_handler(bprm);


That is, we can get rid of the sched_process_exec_key_reg and unreg
functions, and just use this and it would become the same thing.

This will be helpful in other places too (David, I'm talking to you ;-)


-- Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ