lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <E1NHfrW-0003YW-Rn@pomaz-ex.szeredi.hu>
Date:	Mon, 07 Dec 2009 16:50:58 +0100
From:	Miklos Szeredi <miklos@...redi.hu>
To:	Andrew Lutomirski <luto@....edu>
CC:	alan@...rguk.ukuu.org.uk, miklos@...redi.hu,
	akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] vfs: new O_NODE open flag

On Mon, 7 Dec 2009, Andrew Lutomirski wrote:
> On Mon, Dec 7, 2009 at 9:13 AM, Alan Cox <alan@...rguk.ukuu.org.uk> wrote:
> > First obvious attack: get an O_NODE handle to a device you have assigned
> > to your ownership
> >
> >        while(1)
> >                fchmod(fd, 0666);
> >
> > wait for device to unload, reload and be intended for another user
> > Race udev to a real open. You have a similar problem with vhangup() and
> > ttys.
> 
> Huh?  I would've thought that udev would (and already does?), on
> device unload, chown to 0:0, then chmod to 0000, then unlink, in which
> case that attack doesn't work.

Git version of udev does:

	chmod(filename, 0000);
	chown(filename, 0, 0);
	err = unlink(filename);

It should probably do it the other way round, which is how it was
originally, until this commit messed it up:

  commit 39087d3bdd0b5195c2570a4f858b88a82d42a066
  Author: Kay Sievers <kay.sievers@...y.org>
  Date:   Sat Aug 29 16:10:24 2009 +0200
  
      util_unlink_secure(): chmod() before chown()
  
      Suggested by Florian Zumbiehl <florz@...rz.de>.

And the thread where it came from:

  http://markmail.org/thread/ozwcbju52yb3qs5d

where the poster actually warned Kay that it was wrong...

> Would you be okay with a patch that prevented opening
> /proc/self/fd/xxx on O_NODE handles?

We can't sanely do that.

Thanks,
Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ