lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140902093121.GL30401@n2100.arm.linux.org.uk>
Date:	Tue, 2 Sep 2014 10:31:22 +0100
From:	Russell King - ARM Linux <linux@....linux.org.uk>
To:	AKASHI Takahiro <takahiro.akashi@...aro.org>
Cc:	"linaro-kernel@...ts.linaro.org" <linaro-kernel@...ts.linaro.org>,
	Kees Cook <keescook@...omium.org>,
	Catalin Marinas <Catalin.Marinas@....com>,
	Will Deacon <will.deacon@....com>,
	LKML <linux-kernel@...r.kernel.org>,
	"arndb@...db.de" <arndb@...db.de>,
	Deepak Saxena <dsaxena@...aro.org>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH v6 2/6] arm64: ptrace: allow tracer to skip a system
	call

On Tue, Sep 02, 2014 at 10:16:22AM +0100, Russell King - ARM Linux wrote:
> On Tue, Sep 02, 2014 at 05:47:29PM +0900, AKASHI Takahiro wrote:
> > On 09/01/2014 08:47 PM, Russell King - ARM Linux wrote:
> >> On Wed, Aug 27, 2014 at 02:55:46PM +0900, AKASHI Takahiro wrote:
> >>> 1)
> >>> setting x0 to -ENOSYS is necessary because, otherwise, user-issued syscall(-1) will
> >>> return a bogus value when audit tracing is on.
> >>>
> >>> Please note that, on arm,
> >>>                   not traced      traced
> >>>                   ------          ------
> >>> syscall(-1)      aborted         OOPs(BUG_ON)
> >>> syscall(-3000)   aborted         aborted
> >>> syscall(1000)    ENOSYS          ENOSYS
> >>
> >> Two points here:
> >>
> >> 1. You've found a case which causes a BUG_ON().  Where is the bug report
> >>     for this, so the problem can be investigated and resolved?
> >
> > I think that I mentioned it could also happen on arm somewhere in a talk
> > with Will, but don't remember exactly when.
> 
> Sorry, not good enough.  Please report this bug so it can be investigated
> and fixed.

I'm going to go further than this, and tell you that you have been
downright irresponsible here, and I'm disgusted by your behaviour over
this.

You have revealed a potential security problem publically, effectively
giving details about how to cause it, but without having first reported
it to people who can fix it, nor providing a fix for it.

Why is it a security problem?  Although it can't be used to gain
information, it can be used potentially to deny service.  Any user can
trace a task which they own, and then set the task's syscall to -1,
which according to you results in a kernel oops.

If the kernel oops happens while holding any locks, that part of the
system becomes non-functional and can result in all userland stopping
dead.

-- 
FTTC broadband for 0.8mile line: currently at 9.5Mbps down 400kbps up
according to speedtest.net.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ