lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4501DEF5.8010300@google.com>
Date:	Fri, 08 Sep 2006 14:21:57 -0700
From:	Edward Falk <efalk@...gle.com>
To:	Jan Engelhardt <jengelh@...ux01.gwdg.de>
CC:	linux-kernel@...r.kernel.org
Subject: Re: Proper /proc/pid/cmdline behavior when command line is corrupt?

Jan Engelhardt wrote:
> 
> http://www.x86-64.org/documentation/abi.pdf#search=%22argv%20envp%20x86%20ABI%22
> page 29 figure 3.9 lists the data block in question as "Information
> block, including argument strings, environment strings, auxiliary
> information", but does not specify it further, like how it is laid out.
> 
> What it does mention is "argument pointers" (aka argv[N]) and their
> exact position. In fact, right below the figure is the explanation:
> "Argument strings, environment strings, and the auxiliary information
> appear in no specific order within the information block and they need
> not be compactly allocated."

...

Thank you for sending me that document.  It seems that the bottom line 
is that the environment-follows-the-commandline assumption is *not* 
valid for future kernels, and may well not be valid for other 
architectures either.

I would suggest that for an application to overwrite the end of its own 
commandline buffer is undefined behavior.*

I'd also further suggest that the current implementation of 
proc_pid_cmdline() is essentially _guessing_ that the user has 
overwritten the end of the buffer and also guessing that the extra data 
can be found in the environment buffer.

Further, if a terminating nul still can't be found in the leading part 
of the environment buffer, proc_pid_cmdline() arbitrarily truncates the 
return value at the one-page mark with no attempt to insert a 
terminating nul.  It seems to me that if we accept that it's ok to 
arbitrarily truncate the return value, then a better choice of 
truncation point would be the end of the commandline buffer.

In addition, since the code is looking for missing data in the 
environment buffer, we can reasonably assume that the user has 
inadvertantly and hopelessly corrupted their own environment.  I submit 
that in this case, all bets are off and it doesn't really matter *what* 
we do at this point -- the results are undefined and can't possibly be 
correct.


> What that means for your future patch:
> 
> The way how the arg and env strings are laid out are, as far as I can 
> tell, defined in fs/binfmt_elf.c:create_elf_tables(). And 
> proc_pid_cmdline() depends on this layout, yes. However, since the 
> layout is not used anywhere outside the kernel (so says the PDF), there 
> should not be a problem. If you modify the layout, make sure it is 
> consistent within the kernel. It is unspecified for userspace, and a 
> user program accessing this area nonetheless is doing so at its own risk.

Thank you for pointing this out.  I'm not planning to change the layout, 
but perhaps a comment should be added to create_elf_tables() warning 
that proc_pid_cmdline() will need to be modified if the layout is ever 
modified.

Anyway; does anybody know why the original code was done this way, or of 
any applications that depend on that behavior?


> Hope this helps.

Immensely.  Thank you.

	-ed falk


*Actually, by the looks of things, for a process to write to its own 
commandline buffer *at all* is undefined behavior, since the spec makes 
no guarantees of the layout of the information block.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ