lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4999BC0C.1010304@fatooh.org>
Date:	Mon, 16 Feb 2009 11:18:36 -0800
From:	Corey Hickey <bugfood-ml@...ooh.org>
To:	Dhaval Giani <dhaval@...ux.vnet.ibm.com>
CC:	Peter Zijlstra <peterz@...radead.org>,
	linux-kernel@...r.kernel.org,
	Bharata B Rao <bharata@...ux.vnet.ibm.com>,
	Balbir Singh <balbir@...ibm.com>,
	Srivatsa Vaddagiri <vatsa@...ux.vnet.ibm.com>,
	Ingo Molnar <mingo@...e.hu>, mtk.manpages@...il.com
Subject: Re: RT scheduling and a way to make a process hang, unkillable

Dhaval Giani wrote:
> And it continues on! Please try this version.
> 
> sched: Don't allow setuid to succeed if the user does not have rt bandwidth
> 
> Corey Hickey reported that on using setuid to change the uid of a
> rt process, the process would be unkillable and not be running.
> This is because there was no rt runtime for that user group. Add
> in a check to see if a user can attach an rt task to its task group.
> 
> Disclaimer: Not sure about the return values, and if setuid allows
> return values other than EPERM and EAGAIN.
> 
> Changes from v3:
> 1. Actually fix the leak.
> 
> Changes from v2:
> 1. Patch compiles for CONFIG_CGROUP_SCHED as well
> 2. Fix two memory leaks.
> 
> Changes from v1:
> 1. Peter suggested that rt_task_can_change_user should be renamed to
> task_can_change_user
> 2. Changed sched_rt_can_attach to boolean.
> 
> Signed-off-by: Dhaval Giani <dhaval@...ux.vnet.ibm.com>

Thank you, Peter and Dhaval, for looking at this. I appreciate your work.

I tested patch v4 on 2.6.29-rc5, and I get frequent kernel BUG messages.
Should I be testing your patch on a different source tree? The patch
applied to rc5 ok but with lots of offsets.

I attached the full dmesg log, and here's a sample of one of the messages:

------------------------------------------------------------------------
BUG: unable to handle kernel NULL pointer dereference at 00000034
IP: [<c011d642>] task_can_switch_user+0xe/0x28
*pde = 00000000
Oops: 0000 [#1]
last sysfs file: /sys/devices/virtual/net/lo/address
Modules linked in:

Pid: 1058, comm: vol_id Not tainted (2.6.29-rc5-fix1 #1) Satellite 5105
EIP: 0060:[<c011d642>] EFLAGS: 00010202 CPU: 0
EIP is at task_can_switch_user+0xe/0x28
EAX: 00000000 EBX: dfbe6ae0 ECX: 0000fffe EDX: c039a4a0
ESI: 00000000 EDI: 0000fffe EBP: dfbc7f88 ESP: dfbc7f80
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process vol_id (pid: 1058, ti=dfbc6000 task=dfbe6ae0 task.ti=dfbc6000)
Stack:
 fffffff4 df9a5e80 dfbc7f98 c0120c0a fffffff4 df9a5e80 dfbc7fb0 c0120da8
 df9a5180 0000fffe 00000003 bff8dec1 dfbc6000 c0102b45 0000fffe b8050ff4
 00000000 00000003 bff8dec1 bff8c918 000000d5 0000007b 0000007b c0100000
Call Trace:
 [<c0120c0a>] ? set_user+0x15/0x78
 [<c0120da8>] ? sys_setuid+0x4d/0x9d
 [<c0102b45>] ? sysenter_do_call+0x12/0x25
Code: f2 a1 90 b9 3f c0 e8 58 69 03 00 eb 02 53 9d b8 14 a9 39 c0 e8 fb
49 1b 00 5b 5e 5d c3 55 89 e5 56 53 89 d3 e8 3d fc ff ff 89 c6 <8b> 40
34 89 da e8 4b 22 ff ff 89 c3 89 f0 e8 04 ff ff ff 89 d8
EIP: [<c011d642>] task_can_switch_user+0xe/0x28 SS:ESP 0068:dfbc7f80
---[ end trace 3e1918a81c708690 ]---

Thank you,
Corey

Download attachment "dmesg.log.gz" of type "application/gzip" (6226 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ