[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140902093121.GL30401@n2100.arm.linux.org.uk>
Date: Tue, 2 Sep 2014 10:31:22 +0100
From: Russell King - ARM Linux <linux@....linux.org.uk>
To: AKASHI Takahiro <takahiro.akashi@...aro.org>
Cc: "linaro-kernel@...ts.linaro.org" <linaro-kernel@...ts.linaro.org>,
Kees Cook <keescook@...omium.org>,
Catalin Marinas <Catalin.Marinas@....com>,
Will Deacon <will.deacon@....com>,
LKML <linux-kernel@...r.kernel.org>,
"arndb@...db.de" <arndb@...db.de>,
Deepak Saxena <dsaxena@...aro.org>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH v6 2/6] arm64: ptrace: allow tracer to skip a system
call
On Tue, Sep 02, 2014 at 10:16:22AM +0100, Russell King - ARM Linux wrote:
> On Tue, Sep 02, 2014 at 05:47:29PM +0900, AKASHI Takahiro wrote:
> > On 09/01/2014 08:47 PM, Russell King - ARM Linux wrote:
> >> On Wed, Aug 27, 2014 at 02:55:46PM +0900, AKASHI Takahiro wrote:
> >>> 1)
> >>> setting x0 to -ENOSYS is necessary because, otherwise, user-issued syscall(-1) will
> >>> return a bogus value when audit tracing is on.
> >>>
> >>> Please note that, on arm,
> >>> not traced traced
> >>> ------ ------
> >>> syscall(-1) aborted OOPs(BUG_ON)
> >>> syscall(-3000) aborted aborted
> >>> syscall(1000) ENOSYS ENOSYS
> >>
> >> Two points here:
> >>
> >> 1. You've found a case which causes a BUG_ON(). Where is the bug report
> >> for this, so the problem can be investigated and resolved?
> >
> > I think that I mentioned it could also happen on arm somewhere in a talk
> > with Will, but don't remember exactly when.
>
> Sorry, not good enough. Please report this bug so it can be investigated
> and fixed.
I'm going to go further than this, and tell you that you have been
downright irresponsible here, and I'm disgusted by your behaviour over
this.
You have revealed a potential security problem publically, effectively
giving details about how to cause it, but without having first reported
it to people who can fix it, nor providing a fix for it.
Why is it a security problem? Although it can't be used to gain
information, it can be used potentially to deny service. Any user can
trace a task which they own, and then set the task's syscall to -1,
which according to you results in a kernel oops.
If the kernel oops happens while holding any locks, that part of the
system becomes non-functional and can result in all userland stopping
dead.
--
FTTC broadband for 0.8mile line: currently at 9.5Mbps down 400kbps up
according to speedtest.net.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists