lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080521123802.GB7715@sergelap.austin.ibm.com>
Date:	Wed, 21 May 2008 07:38:02 -0500
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Shi Weihua <shiwh@...fujitsu.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>, morgan@...nel.org,
	linux-security-module@...r.kernel.org,
	LKML <linux-kernel@...r.kernel.org>, serue@...ibm.com,
	jmorris@...ei.org
Subject: Re: [PATCH] capabilities: fix sys_prctl() returned uninitialized
	value

Quoting Shi Weihua (shiwh@...fujitsu.com):
> When we test kernel by the latest LTP(20080430) on ia64,
> the following failure occured:
> -------------------------------------
> prctl01     1  PASS  :  Test Passed
> prctl01     0  WARN  :  prctl() returned 2048 errno = 0 : Success
> prctl01     1  PASS  :  Test Passed
> prctl01     2  FAIL  :  Test Failed
> -------------------------------------
> 
> We found commit 3898b1b4ebff8dcfbcf1807e0661585e06c9a91c
> causes this failure by git-bisect.
> And, we found *rc_p has not been initialized if switch-default 
> of the function cap_task_prctl()(security/commoncap.c). When *rc_p
> uninitialized, sys_prctl() will return a wrong value.
> 
> Signed-off-by: Shi Weihua <shiwh@...fujitsu.com> 
> ---
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 5edabc7..a4b28c8 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -649,6 +649,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> 
>  	default:
>  		/* No functionality available - continue with default */
> +		*rc_p = 0;
>  		return 0;
>  	}

No, this case here means that the capability module is not taking
responsibility for this call.  So it should not be setting rc_p.

So you'll want to find another path in kernel/sys.c:sys_prctl()
where error doesn't get set.  Do you know what 'i' was in prctl01
at the time of failure?

For instance, I notice that PR_SET_DUMPABLE doesn't set the value
of error if arg2 is valid.  Also PR_SET_NAME and PR_GET_NAME
don't set error.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ