lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081126134302.GB6562@elte.hu>
Date:	Wed, 26 Nov 2008 14:43:02 +0100
From:	Ingo Molnar <mingo@...e.hu>
To:	eranian@...glemail.com
Cc:	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
	x86@...nel.org, andi@...stfloor.org, eranian@...il.com,
	sfr@...b.auug.org.au
Subject: Re: [patch 20/24] perfmon: system calls interface


* eranian@...glemail.com <eranian@...glemail.com> wrote:

> +/*
> + * unlike the other perfmon system calls, this one returns a file descriptor
> + * or a value < 0 in case of error, very much like open() or socket()
> + */
> +asmlinkage long sys_pfm_create(int flags, struct pfarg_sinfo __user *ureq)
> +{
> +	struct pfm_context *new_ctx;
> +	struct pfarg_sinfo sif;
> +	int ret;
> +
> +	PFM_DBG("flags=0x%x sif=%p", flags, ureq);
> +
> +	if (perfmon_disabled)
> +		return -ENOSYS;
> +
> +	if (flags) {
> +		PFM_DBG("no flags accepted yet");
> +		return -EINVAL;
> +	}
> +	ret = __pfm_create_context(flags, &sif, &new_ctx);
> +
> +	/*
> +	 * copy sif to user level argument, if requested
> +	 */
> +	if (ureq && copy_to_user(ureq, &sif, sizeof(sif))) {
> +		pfm_undo_create(ret, new_ctx);
> +		ret  = -EFAULT;
> +	}
> +	return ret;
> +}

the error control flow of fd creation is sloppy here and has an 
kernel-data information leak: if __pfm_create_context() fails:

 - due to memory pressure
 - or due to lack of CPU support
 - or due to lack of permissions
 - or due to a busy PMU

then &sif is not initialized, and sys_pfm_create() copies it to 
user-space. This way attackers can probe portions of the kernel stack.

Worse than that, there's also a DoS hole here: in the same scenario 
above (easily created by attackers), new_ctx is not initialized either 
- and if a ureq is provided by (unprivileged) userspace with a 
faulting address (say ureq == (void *)1), then sys_pfm_create() will 
call pfm_undo_create() => kaboom.

It's even a root hole, because attacker can likely prime the kernel 
stack with arbitrary values via prior syscalls and hence controls 
new_ctx's value, and the freeing logic happily uses it => local root 
hole.

Is this stuff in any distro kernel?

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ