lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1343143742-31229-1-git-send-email-tixxdz@opendz.org>
Date:	Tue, 24 Jul 2012 16:29:00 +0100
From:	Djalal Harouni <tixxdz@...ndz.org>
To:	linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
	Al Viro <viro@...iv.linux.org.uk>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Vasiliy Kulikov <segoon@...nwall.com>,
	WANG Cong <xiyou.wangcong@...il.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Solar Designer <solar@...nwall.com>,
	Kees Cook <keescook@...omium.org>,
	David Rientjes <rientjes@...gle.com>,
	Brad Spengler <spender@...ecurity.net>
Cc:	Djalal Harouni <tixxdz@...ndz.org>
Subject: [PATCH v2 0/2] proc: /proc/<pid>/environ offset fixes

Hi,

This is the V2 to correctly check offsets on /proc/<pid>/environ before
reading. This was previously discussed here:
http://lkml.org/lkml/2012/7/22/79

Due to incorrect offset checks, currently one can read from aribtrary
addresses on /proc/<pid>/environ, not only the environment address range
as shown here (the same thread):
http://lkml.org/lkml/2012/7/22/163

The bug is in environ_read().


That first patch was not complete as noted by Oleg Nestrov, since even
with positive offsets we can perhaps overflow the address from where to
read the environment variables, or perhaps we can make multiple lseek()
calls with a positive offset set to 0x7fffffff, this will pass the
fs/read_write.c:lseek_execute() checks, and one can make the
'mm->env_addr + offset' point to another VMA. This will make
/proc/<pid>/environ to act like /proc/<pid>/mem.

The first version removed only negative offsets which when converted to
unsigned long will overflow the 'mm->env_addr + offset' the address from
where to start to read the environment variables, and will also pass all
the fs/read_write.c:lseek_execute() and environ_read() checks.

As suggested by Oleg Nesterov this version makes sure to fix the offset
checks, then it removes negative offsets support on /proc/<pid>/environ
since it does not need them.


Thanks to patch 'proc: clean up /proc/<pid>/environ handling'
commit b409e578d9a4ec95913e ,this is not a security issue since at
->open() there is: the ptrace check + save the current 'mm' for next
operations.


Djalal Harouni (2):
  proc: environ_read() make sure offset points to environment address range
  proc: do not allow negative offsets on /proc/<pid>/environ

 fs/proc/base.c |   22 +++++++++++++---------
  1 files changed, 13 insertions(+), 9 deletions(-)


V2:
 * Added the [PATCH 1/2] to make sure that the offset points to the
   environment address range as suggested by Oleg Nesterov.
 * Updated the [PATCH 2/2] changelog entry since we have added [PATCH 1/2]
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ