[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110715063801.GC3166@albatros>
Date: Fri, 15 Jul 2011 10:38:01 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, viro@...iv.linux.org.uk,
rientjes@...gle.com, wilsons@...rt.ca, security@...nel.org,
kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v3] proc: fix a race in do_io_accounting()
Hi Linus,
On Wed, Jul 06, 2011 at 20:34 +0400, Vasiliy Kulikov wrote:
> If inode's mode permits to open /proc/PID/io and the resulted file
> descriptor is kept across execve() of setuid or similar binary, the
> ptrace_may_access() check tries to prevent using this fd against the
> task with escalated privileges. Unfortunately, there is a race of the
> check against execve(). If execve() is processed after the ptrace
> check, but before the actual io information gathering, io statistics
> will be gathered from the privileged process. At least in theory this
> might lead to gathering sensible information (like ssh/ftp password
> length) that wouldn't be available otherwise.
>
> Holding task->signal->cred_guard_mutex while gathering the io
> information should protect against the race.
>
> The order of locking is similar to the one inside of
> ptrace_attach(): first goes cred_guard_mutex, then lock_task_sighand().
Any problems with the patch?
> v3 - better description.
> v2 - use mutex_lock_killable() instead of mutex_lock().
>
> Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>
> Cc: stable@...nel.org
> ---
> fs/proc/base.c | 16 +++++++++++++---
> 1 files changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 083a4f2..4b9f159 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2711,9 +2711,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
> {
> struct task_io_accounting acct = task->ioac;
> unsigned long flags;
> + int result;
>
> - if (!ptrace_may_access(task, PTRACE_MODE_READ))
> - return -EACCES;
> + result = mutex_lock_killable(&task->signal->cred_guard_mutex);
> + if (result)
> + return result;
> +
> + if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
> + result = -EACCES;
> + goto out_unlock;
> + }
>
> if (whole && lock_task_sighand(task, &flags)) {
> struct task_struct *t = task;
> @@ -2724,7 +2731,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
>
> unlock_task_sighand(task, &flags);
> }
> - return sprintf(buffer,
> + result = sprintf(buffer,
> "rchar: %llu\n"
> "wchar: %llu\n"
> "syscr: %llu\n"
> @@ -2739,6 +2746,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
> (unsigned long long)acct.read_bytes,
> (unsigned long long)acct.write_bytes,
> (unsigned long long)acct.cancelled_write_bytes);
> +out_unlock:
> + mutex_unlock(&task->signal->cred_guard_mutex);
> + return result;
> }
>
> static int proc_tid_io_accounting(struct task_struct *task, char *buffer)
> --
> 1.7.0.4
>
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists