lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070708181954.GH21668@ftp.linux.org.uk>
Date:	Sun, 8 Jul 2007 19:19:54 +0100
From:	Al Viro <viro@....linux.org.uk>
To:	Ulrich Drepper <drepper@...hat.com>
Cc:	Markus Trippelsdorf <markus@...ppelsdorf.de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, torvalds@...ux-foundation.org
Subject: Re: 2.6.22-rc6(mm1) Unable to handle kernel NULL pointer	dereference - git-bisect result

On Sun, Jul 08, 2007 at 10:41:46AM -0700, Ulrich Drepper wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Al Viro wrote:
> > Like hell.  At the very least you want it to be opened for write.
> > And even that is dubious, since "process has write access to file"
> > is not quite the same thing as "somebody had given the process a
> > descriptor opened for write".
> 
> But the real permissions tests are performed in notify_change.  I think
> all this is consistent with how, for instance, fchmod works.  The
> additional tests in fchmod which aren't here (IS_RDONLY and IS_APPEND)
> would also apply to the case where a file name is given.  So, either the
> code was inconsistent already are these tests are really not needed.

Yes, it's either that, or you haven't bothered to read what it really
does.  ATTR_UID et.al. are checked in inode_change_ok().  So is
ATTR_MTIME_SET (only owner can explicitly set timestamps).  ATTR_MTIME
is not and *should* *not* be checked there.  Exactly because it's
done as a side effect of many operations with access control of their
own and nothing that could be pushed down into notify_change() path.
Think of e.g. write(2) - by the time you get to notify_change(), you
don't even have a file descriptor.  Just the dentry and process writing
to file doesn't have to have *any* permissions on it.

Hell, _try_ it.  Build the kernel with your patch and without it.
Call utimes() with NULL second argument on a file you have no write
access to.  See if the timestamps change.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ