| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jan 2012 18:00:06 +0100 From: Oleg Nesterov <oleg@...hat.com> To: Chris Evans <scarybeasts@...il.com> Cc: Indan Zupancic <indan@....nu>, Andi Kleen <andi@...stfloor.org>, Jamie Lokier <jamie@...reable.org>, Andrew Lutomirski <luto@....edu>, Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org, keescook@...omium.org, john.johansen@...onical.com, serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com, djm@...drot.org, torvalds@...ux-foundation.org, segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org, avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com, amwang@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, olofj@...omium.org, mhalcrow@...gle.com, dlaor@...hat.com, Roland McGrath <mcgrathr@...omium.org> Subject: Re: Compat 32-bit syscall entry from 64-bit task!? [was: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF] On 01/17, Chris Evans wrote: > > 1) Tracee is compromised; executes fork() which is syscall that isn't allowed > 2) Tracee traps > 2b) Tracee could take a SIGKILL here > 3) Tracer looks at registers; bad syscall > 3b) Or tracee could take a SIGKILL here > 4) The only way to stop the bad syscall from executing is to rewrite > orig_eax (PTRACE_CONT + SIGKILL only kills the process after the > syscall has finished) > 5) Disaster: the tracee took a SIGKILL so any attempt to address it by > pid (such as PTRACE_SETREGS) fails. > 6) Syscall fork() executes; possible unsupervised process now running > since the tracer wasn't expecting the fork() to be allowed. As for fork() in particular, it can't succeed after SIGKILL. But I agree, probably it makes sense to change ptrace_stop() to check fatal_signal_pending() and do do_group_exit(SIGKILL) after it sleeps in TASK_TRACED. Or we can change tracehook_report_syscall_entry() - return 0; + return !fatal_signal_pending(); (no, I do not literally mean the change above) Not only for security. The current behaviour sometime confuses the users. Debugger sends SIGKILL to the tracee and assumes it should die asap, but the tracee exits only after syscall. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists