lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080225182345.GA22095@tv-sign.ru>
Date:	Mon, 25 Feb 2008 21:23:45 +0300
From:	Oleg Nesterov <oleg@...sign.ru>
To:	Harald Welte <laforge@...monks.org>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Pavel Emelyanov <xemul@...nvz.org>,
	linux-kernel@...r.kernel.org
Subject: Re: Fw: [PATCH 1/1] file capabilities: simplify signal check

On 02/24, Harald Welte wrote:
>
> On Sun, Feb 24, 2008 at 09:09:31PM +0300, Oleg Nesterov wrote:
> > I just have an almost off-topic (sorry ;) question. Do we really need
> > kill_pid_info_as_uid() ? Harald Welte cc'ed.
> > 
> > From "[PATCH] Fix signal sending in usbdevio on async URB completion"
> > commit 46113830a18847cff8da73005e57bc49c2f95a56
> > 
> > 	> If a process issues an URB from userspace and (starts to) terminate
> > 	> before the URB comes back, we run into the issue described above.  This
> > 	> is because the urb saves a pointer to "current" when it is posted to the
> > 	> device, but there's no guarantee that this pointer is still valid
> > 	> afterwards.
> > 	>
> > 	> In fact, there are three separate issues:
> > 	>
> > 	> 1) the pointer to "current" can become invalid, since the task could be
> > 	>    completely gone when the URB completion comes back from the device.
> > 	>
> > 	> 2) Even if the saved task pointer is still pointing to a valid task_struct,
> > 	>    task_struct->sighand could have gone meanwhile.
> > 	>
> > 	> 3) Even if the process is perfectly fine, permissions may have changed,
> > 	>    and we can no longer send it a signal.
> > 
> > The problems 1) and 2) are solved by converting to a struct pid. Is 3) a real
> > problem? The task which does ioctl(USBDEVFS_SUBMITURB) explicitly asks to send
> > the signal to it, should we deny the signal even if it changes its credentials
> > in some way?
> 
> At the time I discovered the abovementioned problem, '1' and '2' were
> real practical issues that I was seeing on live systems, triggerable
> from userspace with no problems. '3' was more of a theoretical issue
> that was discovered while reading the code and spending some thought on
> it.

Yes, yes, I see, the patch was fine.

> Whether or not we should deny the signal even if the process changes its
> own credentials in some way sounds like a much more esoteric question to
> me.  I think it's fair to say that the resulting behavior is
> "unspecified but shouldn't cause the process and/or kernel to misbehave"
> 
> At least I'm not aware of any usbdevio logic that would require some
> specific behaviour here.

OK, thanks.

So, the only reason why we can't kill kill_pid_info_as_uid() and just use
kill_pid_info() is that USB uses .si_code = SI_ASYNCIO. The latter means
that SI_FROMUSER(info) == T.

I assume that it is not an option to change USB to use .si_code > 0, yes?

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ