lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100115081226.GA14409@heat>
Date:	Fri, 15 Jan 2010 03:12:26 -0500
From:	Michael Stone <michael@...top.org>
To:	linux-kernel@...r.kernel.org
Cc:	netdev@...r.kernel.org, linux-security-module@...r.kernel.org,
	Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>,
	Oliver Hartkopp <socketcan@...tkopp.net>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Valdis Kletnieks <Valdis.Kletnieks@...edu>,
	Bryan Donlan <bdonlan@...il.com>,
	Evgeniy Polyakov <zbr@...emap.net>,
	"C. Scott Ananian" <cscott@...ott.net>,
	James Morris <jmorris@...ei.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Bernie Innocenti <bernie@...ewiz.org>,
	Mark Seaborn <mrs@...hic-beasts.com>,
	Randy Dunlap <randy.dunlap@...cle.com>,
	Américo Wang <xiyou.wangcong@...il.com>,
	Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
	Samir Bellabes <sam@...ack.fr>,
	Casey Schaufler <casey@...aufler-ca.com>,
	"Serge E. Hallyn" <serue@...ibm.com>, Pavel Machek <pavel@....cz>,
	Al Viro <viro@...IV.linux.org.uk>,
	Kyle Moffett <kyle@...fetthome.net>,
	Andrew Morgan <morgan@...nel.org>,
	Michael Stone <michael@...top.org>
Subject: disablenetwork (v5): Remove a TOCTTOU race by passing flags by
	value.

When network_flags is passed by pointer to memory shared among several tasks,
one of those tasks could change the pointed-to value after it was checked by
security_prctl() and before it was used by prctl_set_network().

Also, since no cleanup is needed in prctl_set_network(), simplify its
return-value conventions.

Signed-off-by: Michael Stone <michael@...top.org>
---
  include/linux/prctl_network.h |    2 +-
  kernel/sys.c                  |   24 ++++++------------------
  2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/include/linux/prctl_network.h b/include/linux/prctl_network.h
index d18f8cb..2c03292 100644
--- a/include/linux/prctl_network.h
+++ b/include/linux/prctl_network.h
@@ -2,6 +2,6 @@
  #define _LINUX_PRCTL_NETWORK_H
  
  extern long prctl_get_network(unsigned long*);
-extern long prctl_set_network(unsigned long*);
+extern long prctl_set_network(unsigned long);
  
  #endif /* _LINUX_PRCTL_NETWORK_H */
diff --git a/kernel/sys.c b/kernel/sys.c
index b48f021..1fadf10 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1580,7 +1580,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
  				error = PR_MCE_KILL_DEFAULT;
  			break;
  		case PR_SET_NETWORK:
-			error = prctl_set_network((unsigned long*)arg2);
+			error = prctl_set_network(arg2);
  			break;
  		case PR_GET_NETWORK:
  			error = prctl_get_network((unsigned long*)arg2);
@@ -1599,29 +1599,17 @@ long prctl_get_network(unsigned long* user)
  	return put_user(current->network, user);
  }
  
-long prctl_set_network(unsigned long* user)
+long prctl_set_network(unsigned long network_flags)
  {
-	unsigned long network_flags;
-	long ret;
-
-	ret = -EFAULT;
-	if (copy_from_user(&network_flags, user, sizeof(network_flags)))
-		goto out;
-
-	ret = -EINVAL;
  	if (network_flags & ~PR_NETWORK_ALL_FLAGS)
-		goto out;
+		return -EINVAL;
  
  	/* only dropping access is permitted */
-	ret = -EPERM;
-        if (current->network & ~network_flags)
-		goto out;
+	if (current->network & ~network_flags)
+		return -EPERM;
  
  	current->network = network_flags;
-	ret = 0;
-
-out:
-	return ret;
+	return 0;
  }
  
  #else
-- 
1.6.6.rc2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ