lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 21 Oct 2015 23:47:03 +0200
From:	Oleg Nesterov <oleg@...hat.com>
To:	Denys Vlasenko <dvlasenk@...hat.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Dmitry Vyukov <dvyukov@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Eric Dumazet <edumazet@...gle.com>,
	Jan Kratochvil <jan.kratochvil@...hat.com>,
	Julien Tinnes <jln@...gle.com>,
	Kees Cook <keescook@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	"Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>,
	Pedro Alves <palves@...hat.com>,
	Robert Swiecki <swiecki@...gle.com>,
	Roland McGrath <roland@...k.frob.com>,
	syzkaller@...glegroups.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] wait/ptrace: always assume __WALL if the child is
	traced

On 10/21, Denys Vlasenko wrote:
>
> On 10/21/2015 09:59 PM, Denys Vlasenko wrote:
> > On 10/21/2015 12:31 AM, Andrew Morton wrote:
> >> Well, to fix this a distro needs to roll out a new kernel.  Or a new
> >> init(8).  Is there any reason to believe that distributing/deploying a
> >> new kernel is significantly easier for everyone?  Because fixing init
> >> sounds like a much preferable solution to this problem.
> >
> > People will continue to write new init(8) implementations,
> > and they will miss this obscure case.
> >
> > Before this bug was found, it was considered possible to use
> > a shell script as init process. What now, every shell needs to add
> > __WALL to its waitpids?

Why not? I think it can safely use __WALL too.

> > The use of PTRACE_TRACEME in this reproducer is clearly pathological:
> > PTRACE_TRACEME was never intended to be used to attach to unsuspecting
> > processes.

Sure. But people do the things which were never intended to be
used all the time. We simply can not know if this "feature"
already has a creative user or not.

As for the patch,

> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -385,6 +385,17 @@ static int ptrace_traceme(void)
>  	write_lock_irq(&tasklist_lock);
>  	/* Are we already being traced? */
>  	if (!current->ptrace) {
> +		struct pid_namespace *pid_ns;
> +
> +		pid_ns = task_active_pid_ns(current->parent);
> +		if (current->parent == pid_ns->child_reaper) {

Well, at least this needs same_thread_group(parent, child_reaper).

Plus we have PR_SET_CHILD_SUBREAPER so we also need to traverse the
->real_parent list if has_subreaper.

Finally it is not clear which ->child_reaper we should use after
setns(pidns_fd).

This all is fixable (although this again reminds me about a bug
with CHILD_SUBREAPER we probably need to fix first). But I didn't
even try to consider this option because it can break something.



And honestly, personally I don't like it. If we believe that we
can do this because "PTRACE_TRACEME was never intended to be used
to attach to unsuspecting processes", then we need a more generic
change, imo.

See http://marc.info/?l=linux-kernel&m=144536282305282 . Just in
case, it is not that I think "parent_exec_id != self_exec_id" is
all we need. This needs more discussion.

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ