| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 May 2008 08:58:53 +0800 From: Shi Weihua <shiwh@...fujitsu.com> To: "Serge E. Hallyn" <serue@...ibm.com> CC: Andrew Morton <akpm@...ux-foundation.org>, morgan@...nel.org, linux-security-module@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, jmorris@...ei.org Subject: Re: [PATCH] capabilities: fix sys_prctl() returned uninitialized value Serge E. Hallyn wrote: > Quoting Shi Weihua (shiwh@...fujitsu.com): >> When we test kernel by the latest LTP(20080430) on ia64, >> the following failure occured: >> ------------------------------------- >> prctl01 1 PASS : Test Passed >> prctl01 0 WARN : prctl() returned 2048 errno = 0 : Success >> prctl01 1 PASS : Test Passed >> prctl01 2 FAIL : Test Failed >> ------------------------------------- >> >> We found commit 3898b1b4ebff8dcfbcf1807e0661585e06c9a91c >> causes this failure by git-bisect. >> And, we found *rc_p has not been initialized if switch-default >> of the function cap_task_prctl()(security/commoncap.c). When *rc_p >> uninitialized, sys_prctl() will return a wrong value. >> >> Signed-off-by: Shi Weihua <shiwh@...fujitsu.com> >> --- >> diff --git a/security/commoncap.c b/security/commoncap.c >> index 5edabc7..a4b28c8 100644 >> --- a/security/commoncap.c >> +++ b/security/commoncap.c >> @@ -649,6 +649,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, >> >> default: >> /* No functionality available - continue with default */ >> + *rc_p = 0; >> return 0; >> } > > No, this case here means that the capability module is not taking > responsibility for this call. So it should not be setting rc_p. Ok, we noticed the comment as following in include/linux/security.h. + * @rc_p contains a pointer to communicate back the forced return code + * Return 0 if permission is granted, and non-zero if the security module + * has taken responsibility (setting *rc_p) for the prctl call. > > So you'll want to find another path in kernel/sys.c:sys_prctl() > where error doesn't get set. Do you know what 'i' was in prctl01 > at the time of failure? 'i' was 1 (PR_SET_PDEATHSIG). I will create a new patch ASAP. Thanks. > > For instance, I notice that PR_SET_DUMPABLE doesn't set the value > of error if arg2 is valid. Also PR_SET_NAME and PR_GET_NAME > don't set error. > > -serge > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists