lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080225180020.GA10631@sergelap.austin.ibm.com>
Date:	Mon, 25 Feb 2008 12:00:20 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Oleg Nesterov <oleg@...sign.ru>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Casey Schaufler <casey@...aufler-ca.com>,
	David Quigley <dpquigl@...ho.nsa.gov>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Eric Paris <eparis@...hat.com>,
	Harald Welte <laforge@...monks.org>,
	Pavel Emelyanov <xemul@...nvz.org>,
	"Serge E. Hallyn" <serue@...ibm.com>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] kill_pid_info_as_uid: don't use
	security_task_kill()

Quoting Oleg Nesterov (oleg@...sign.ru):
> kill_pid_info_as_uid() is solely used by drivers/usb/core/. The original
> "[PATCH] Fix signal sending in usbdevio on async URB completion" commit
> 46113830a18847cff8da73005e57bc49c2f95a56 was right, but nowadays we use
> struct pid and this solves most of the addressed problems.
> 
> It would be nice to use kill_pid_info() instead, but we can't because USB
> uses .si_code = SI_ASYNCIO which fools SI_FROMUSER() and thus security checks.
> 
> I think we should omit the permission checks completely, the task which does
> ioctl(USBDEVFS_SUBMITURB) explicitly asks to send the signal to it, we should
> not deny the signal even if the task changes its credentials in any way.
> 
> For now, we can remove security_task_kill(). It is bogus, the signal has come
> from kernel.

Ok, could you augment the comment above
kernel/signal.c:kill_pid_info_as_uid() to say that it is only called
from within the usb subsystem?

It also would be nice if some sparse magic could check that that remains
the case, but that's 'vali' territory and the comment should suffice.

thanks,
-serge

> Signed-off-by: Oleg Nesterov <oleg@...sign.ru>
> 
>  include/linux/sched.h    |    2 +-
>  kernel/signal.c          |    5 +----
>  drivers/usb/core/usb.h   |    1 -
>  drivers/usb/core/devio.c |    7 ++-----
>  drivers/usb/core/inode.c |    3 ++-
>  5 files changed, 6 insertions(+), 12 deletions(-)
> 
> --- 25/include/linux/sched.h~2_KPIAU_NO_LSM	2008-02-15 16:59:17.000000000 +0300
> +++ 25/include/linux/sched.h	2008-02-25 19:13:05.000000000 +0300
> @@ -1690,7 +1690,7 @@ extern int force_sigsegv(int, struct tas
>  extern int force_sig_info(int, struct siginfo *, struct task_struct *);
>  extern int __kill_pgrp_info(int sig, struct siginfo *info, struct pid *pgrp);
>  extern int kill_pid_info(int sig, struct siginfo *info, struct pid *pid);
> -extern int kill_pid_info_as_uid(int, struct siginfo *, struct pid *, uid_t, uid_t, u32);
> +extern int kill_pid_info_as_uid(int, struct siginfo *, struct pid *, uid_t, uid_t);
>  extern int kill_pgrp(struct pid *pid, int sig, int priv);
>  extern int kill_pid(struct pid *pid, int sig, int priv);
>  extern int kill_proc_info(int, struct siginfo *, pid_t);
> --- 25/kernel/signal.c~2_KPIAU_NO_LSM	2008-02-25 18:15:38.000000000 +0300
> +++ 25/kernel/signal.c	2008-02-25 19:13:56.000000000 +0300
> @@ -1078,7 +1078,7 @@ kill_proc_info(int sig, struct siginfo *
> 
>  /* like kill_pid_info(), but doesn't use uid/euid of "current" */
>  int kill_pid_info_as_uid(int sig, struct siginfo *info, struct pid *pid,
> -		      uid_t uid, uid_t euid, u32 secid)
> +		      uid_t uid, uid_t euid)
>  {
>  	int ret = -EINVAL;
>  	struct task_struct *p;
> @@ -1098,9 +1098,6 @@ int kill_pid_info_as_uid(int sig, struct
>  		ret = -EPERM;
>  		goto out_unlock;
>  	}
> -	ret = security_task_kill(p, info, sig, secid);
> -	if (ret)
> -		goto out_unlock;
>  	if (sig && p->sighand) {
>  		unsigned long flags;
>  		spin_lock_irqsave(&p->sighand->siglock, flags);
> --- 25/drivers/usb/core/usb.h~2_KPIAU_NO_LSM	2008-02-15 16:59:10.000000000 +0300
> +++ 25/drivers/usb/core/usb.h	2008-02-25 19:16:37.000000000 +0300
> @@ -155,7 +155,6 @@ struct dev_state {
>  	uid_t disc_uid, disc_euid;
>  	void __user *disccontext;
>  	unsigned long ifclaimed;
> -	u32 secid;
>  };
> 
>  /* internal notify stuff */
> --- 25/drivers/usb/core/devio.c~2_KPIAU_NO_LSM	2008-02-15 16:59:09.000000000 +0300
> +++ 25/drivers/usb/core/devio.c	2008-02-25 19:19:55.000000000 +0300
> @@ -72,7 +72,6 @@ struct async {
>  	void __user *userurb;
>  	struct urb *urb;
>  	int status;
> -	u32 secid;
>  };
> 
>  static int usbfs_snoop;
> @@ -321,8 +320,8 @@ static void async_completed(struct urb *
>  		sinfo.si_errno = as->status;
>  		sinfo.si_code = SI_ASYNCIO;
>  		sinfo.si_addr = as->userurb;
> -		kill_pid_info_as_uid(as->signr, &sinfo, as->pid, as->uid,
> -				      as->euid, as->secid);
> +		kill_pid_info_as_uid(as->signr, &sinfo, as->pid,
> +					as->uid, as->euid);
>  	}
>  	snoop(&urb->dev->dev, "urb complete\n");
>  	snoop_urb(urb, as->userurb);
> @@ -603,7 +602,6 @@ static int usbdev_open(struct inode *ino
>  	ps->disc_euid = current->euid;
>  	ps->disccontext = NULL;
>  	ps->ifclaimed = 0;
> -	security_task_getsecid(current, &ps->secid);
>  	smp_wmb();
>  	list_add_tail(&ps->list, &dev->filelist);
>  	file->private_data = ps;
> @@ -1132,7 +1130,6 @@ static int proc_do_submiturb(struct dev_
>  	as->pid = get_pid(task_pid(current));
>  	as->uid = current->uid;
>  	as->euid = current->euid;
> -	security_task_getsecid(current, &as->secid);
>  	if (!is_in) {
>  		if (copy_from_user(as->urb->transfer_buffer, uurb->buffer,
>  				as->urb->transfer_buffer_length)) {
> --- 25/drivers/usb/core/inode.c~2_KPIAU_NO_LSM	2008-02-15 16:59:09.000000000 +0300
> +++ 25/drivers/usb/core/inode.c	2008-02-25 19:21:09.000000000 +0300
> @@ -728,7 +728,8 @@ static void usbfs_remove_device(struct u
>  			sinfo.si_errno = EPIPE;
>  			sinfo.si_code = SI_ASYNCIO;
>  			sinfo.si_addr = ds->disccontext;
> -			kill_pid_info_as_uid(ds->discsignr, &sinfo, ds->disc_pid, ds->disc_uid, ds->disc_euid, ds->secid);
> +			kill_pid_info_as_uid(ds->discsignr, &sinfo, ds->disc_pid,
> +						ds->disc_uid, ds->disc_euid);
>  		}
>  	}
>  }
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ