[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5j+axsd2DPA-QTLSLH32canH4V0FEnW4=wuCqZFa-niKGA@mail.gmail.com>
Date: Wed, 28 Aug 2013 20:33:20 -0700
From: Kees Cook <keescook@...omium.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Djalal Harouni <tixxdz@...ndz.org>,
Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Solar Designer <solar@...nwall.com>,
Vasiliy Kulikov <segoon@...nwall.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Ingo Molnar <mingo@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
"kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality}
On Wed, Aug 28, 2013 at 6:08 PM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
> Kees Cook <keescook@...omium.org> writes:
>
>> On Wed, Aug 28, 2013 at 5:26 PM, Eric W. Biederman
>> <ebiederm@...ssion.com> wrote:
>>> Can someome please state what they are worried about in simple language
>>> step by step?
>>> [...]
>>> The closest I saw in the thread was people were worried about ASLR being
>>> defeated. All I see are kernel addresses and we don't have much if any
>>> runtime or even load time randomization of where code is located in the
>>> kernel address map on x86_64. So I don't understand the concern.
>>
>> I showed the output of "syscall", since that contains user-space
>> addresses and shows a leak of ASLR from a privileged process to an
>> unprivileged process.
>>
>> The flaw as I see it is that an unprivileged process opens
>> /proc/$priv_pid/syscall and passes it to a setuid process which is
>> able to read it, and provides those contents to the unprivileged
>> process.
>>
>> The unprivileged process should not be able to the open the file in
>> the first place.
>
> I see so the complaint is that we don't give read permission but we do
> give open permission. Which is a variant of: the permissions used to
> open are not the permission used to access the file.
>
> This does seem to be a legitimate concern.
>
> I think there are several discussions that have been going on lately
> with respect to this class of problems in proc files.
>
> Given the existence of suid exec we can not in general prevent this
> class of bugs with a check at open time.
I'm not suggesting removing the read check -- that's certainly needed.
> I believe the solution needs to be to enhance the ptrace_may_access
> checks to verify that both the creds of the current task and the creds
> of the opening process would have allowed the access.
As in, DAC perms are insufficient?
> We may want to put this check in permission so open fails quickly but
> we absolutely need to put this check in at the time we call
> ptrace_may_access.
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists