lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 27 Dec 2014 18:14:13 +0000
From:	Al Viro <>
To:	Piotr Karbowski <>
Subject: Re: [BUG] rename() from outside of the target dir breaks /proc exe

On Sat, Dec 27, 2014 at 06:39:54PM +0100, Piotr Karbowski wrote:
> Hi,
> There's something wrong about exe symlink that can be found insde
> /proc/<pid>/ directories. When the running binary is replaced with
> another, using rename() call, the symlink may point to wrong path.
> As example let me use sshd. I have running sshd from /usr/sbin. If I
> replace /usr/sbin/sshd one could expect to see exe symlink pointing
> to '/usr/sbin/sshd (deleted)', it does work this way if the source
> of rename() was in the same directory or nested within, thus rename
> like:
> rename("/usr/sbin/foo", "/usr/sbin/sshd")
> and
> rename("/usr/sbin/bar/sshd", "/usr/sbin/sshd")
> ends with a proper '/usr/sbin/sshd (deleted)' symlink.
> if however the source was outside of the target directory, the
> symlink will point to the source path of rename() calls with
> 'deleted' sufix.
> Here's example:
> sbin # for i in `pidof sshd`; do ls -l /proc/$i/exe; done
> lrwxrwxrwx 1 root root 0 Dec 27 18:09 /proc/29047/exe -> /usr/sbin/sshd
> sbin # cp sshd /root/foo
> sbin # strace -f perl -e 'rename("/root/foo", "/usr/sbin/sshd")'
> 2>&1 | grep sshd
> rename("/root/foo", "/usr/sbin/sshd")   = 0
> sbin # for i in `pidof sshd`; do ls -l /proc/$i/exe; done
> lrwxrwxrwx 1 root root 0 Dec 27 18:09 /proc/29047/exe -> /root/sshd
> (deleted)
> I am unable to find kernel version where it worked as one could
> presume thus I cannot offer to bisect commits to find the bad one.

That's because it never _had_ worked.  Note that opening the damn thing
will give the right file - it does not work by traversing the result of
readlink(2).  readlink(2) output on those is not promised to be useful
in all cases; often enough it is, but it won't work on cross-directory
renames, it can't be used to tell a filename that really ends with " (deleted)"
from a removed file, etc.  Moreover, it only very recently became usable for
victim names with the last component longer than 40 characters if you did an
overwriting rename.

What are you trying to use it for?
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists