| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Mar 2012 09:47:28 +0400 From: Cyrill Gorcunov <gorcunov@...nvz.org> To: Matt Helsley <matthltc@...ibm.com> Cc: Oleg Nesterov <oleg@...hat.com>, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, Pavel Emelyanov <xemul@...allels.com>, Kees Cook <keescook@...omium.org>, Tejun Heo <tj@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: [RFC] c/r: prctl: Add ability to set new mm_struct::exe_file v3 On Tue, Mar 13, 2012 at 06:41:06PM -0700, Matt Helsley wrote: ... > > + > > + exe_file = fget(fd); > > + if (!exe_file) > > + return -EBADF; > > + > > + dentry = exe_file->f_path.dentry; > > + > > + /* > > + * Because the original mm->exe_file > > + * points to executable file, make sure > > + * this one is executable as well to not > > + * break an overall picture. > > + */ > > + err = -EACCES; > > + if (!S_ISREG(dentry->d_inode->i_mode) || > > + exe_file->f_path.mnt->mnt_flags & MNT_NOEXEC) > > + goto exit; > > You could factor out this portion of the access checking from open_exec() > after the do_filp_open() in open_exec() and re-use it here. I know it's > tiny helper but tying these two together might be good for > maintenance later. > Matt, I really dont wanna touch code outside of prctl and this function in particualar, at least in this patch, ie I can clean up and factor out is on top of the patch, as a separate task. > Should it check for some of the flags open_exec() uses? open_exec() > passes: > > O_LARGEFILE|O_RDONLY|__FMODE_EXEC > > to do_filp_open(). I think a O_RDONLY check might be good. I don't > think __FMODE_EXEC is something userspace can set so could be ignored. > O_LARGEFILE might be important though. Well, we're not going to read from this file, so it is not that important at moment, so previously I've had > + if ((exe_file->f_flags & O_ACCMODE) != O_RDONLY) > + goto exit; and Oleg pointed me | But the O_RDONLY check looks strange. We are not going to write | to this file, we only set the name (and that is why I think it | should be mm->exe_path). What is the point to check that the file | was opened without FMODE_WRITE? Even if there were any security | risk the apllication can open this file again with the different | flags. so I dropped it. And I think the same applies to O_LARGEFILE. Sure it's not a problem to bring it back but should we? Cyrill -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists