lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1299631343-4499-1-git-send-email-wilsons@start.ca>
Date:	Tue,  8 Mar 2011 19:42:17 -0500
From:	Stephen Wilson <wilsons@...rt.ca>
To:	linux-mm@...ck.org
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Rik van Riel <riel@...hat.com>,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	Roland McGrath <roland@...hat.com>,
	Matt Mackall <mpm@...enic.com>,
	David Rientjes <rientjes@...gle.com>,
	Nick Piggin <npiggin@...nel.dk>,
	Andrea Arcangeli <aarcange@...hat.com>,
	Mel Gorman <mel@....ul.ie>, Ingo Molnar <mingo@...e.hu>,
	Michel Lespinasse <walken@...gle.com>,
	Hugh Dickins <hughd@...gle.com>, linux-kernel@...r.kernel.org
Subject: [PATCH 0/6] enable writing to /proc/pid/mem

For a long time /proc/pid/mem has provided a read-only interface, at least
since 2.4.0.  However, a write capability has existed "forever" in tree via the
function mem_write(), disabled with an #ifdef along with the comment "this is a
security hazard".  Currently, the main problem with mem_write() is that between
the time permissions are checked and the actual write the target task could
exec a setuid-root binary.

This patch series enables safe writes to /proc/pid/mem.  The principle strategy
is to get a reference to the target task's mm before the permission check, and
to hold that reference until after the write completes.

This patch is useful as it gives debuggers a simple and efficient mechanism to
manipulate a processes address space.  Memory can be read and written using
single calls to pread(2) and pwrite(2) instead of iteratively calling
into ptrace(2).  In addition, /proc/pid/mem has always had write permissions
enabled, so clearly it *wants* to be written to. 

This series builds off previous work up for review here:

   http://lkml.org/lkml/2011/3/8/409

The general approach used was suggested to me by Alexander Viro, but any
mistakes present in these patches are entirely my own.


--
steve


Stephen Wilson (6):
      mm: use mm_struct to resolve gate vma's in __get_user_pages
      mm: factor out main logic of access_process_vm
      mm: implement access_remote_vm
      proc: disable mem_write after exec
      proc: make check_mem_permission() return an mm_struct on success
      proc: enable writing to /proc/pid/mem


 fs/proc/base.c     |   61 ++++++++++++++++++++++++++-------------------
 include/linux/mm.h |    2 +
 mm/memory.c        |   69 +++++++++++++++++++++++++++++++++++++++-------------
 3 files changed, 89 insertions(+), 43 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ