lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20111204221020.GB2203@ZenIV.linux.org.uk>
Date:	Sun, 4 Dec 2011 22:10:20 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	John Johansen <john.johansen@...onical.com>
Cc:	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH] Remove use of mnt_ns->root and fix a couple of bugs in
 d_namespace_path

On Sun, Dec 04, 2011 at 01:27:00PM -0800, John Johansen wrote:
> +	/* is the path a sysctl? */
> +	if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
> +	    strncmp(*name, "/sys/", 5) == 0) {
> +		/* TODO: convert over to using a per namespace
> +		 * control instead of hard coded /proc
> +		 */
> +		error = prepend(name, *name - buf, "/proc", 5);
> +	}

Um?  What if some joker mounts procfs under /sys/<something> or
on /mnt/sys/something (with /mnt being mountpoint as well) and
you race with umount -l /mnt?  Because you *can* race with it
and get tmp pointing to (already freed) root of whatever had been
mounted on /mnt, with name being e.g. /sys/1/stat...  Your check
will happily assume that it's a sysctl, even though /proc/sys/1/stat
had never existed and operation was not done to it at all (it was
to /mnt/sys/1/stat, which would be the same thing as /proc/1/stat in
this setup).

> +	if ((tmp.dentry == root.dentry && tmp.mnt == root.mnt) &&
> +	    !(flags & PATH_CONNECT_PATH)) {
> +		/* disconnected path, don't return pathname starting
> +		 * with '/'
> +		 */
> +		error = -EACCES;
> +		if (*res == '/')
> +			*name = res + 1;

That's not equivalent to what it used to do and I'm not sure that it
makes much sense (not that the original had...)  Note that it will
_always_ fail with -EACCES if you have chroot environment and pass
neither PATH_CHROOT_REL nor PATH_CONNECT_PATH - in that case you'll
certainly not stop at the root of chroot jail, so the comparison will
fail.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ