lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0106cf74-e308-fc20-b76f-e8a6253c3d66@colorfullife.com>
Date:   Thu, 22 Sep 2016 21:42:54 +0200
From:   Manfred Spraul <manfred@...orfullife.com>
To:     Davidlohr Bueso <dave@...olabs.net>
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        akpm@...ux-foundation.org
Subject: Re: [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd

On 09/22/2016 12:21 AM, Davidlohr Bueso wrote:
> On Sun, 18 Sep 2016, Manfred Spraul wrote:
>
>>> Just as with msgrcv (along with the rest of sysvipc since a few years
>>>    ago), perform the security checks without holding the ipc object 
>>> lock.
>> Thinking about it: isn't this wrong?
>>
>> CPU1:
>> * msgrcv()
>> * ipcperms()
>> <sleep>
>>
>> CPU2:
>> * msgctl(), change permissions
>> ** msgctl() returns, new permissions should now be in effect
>> * msgsnd(), send secret message
>> ** msgsnd() returns, new message stored.
>>
>> CPU1: resumes, receives secret message
>
> Hmm, would this not apply to everything IPC_SET, we do lockless 
> ipcperms()
> all over the place.
>
>> Obviously, we could argue that the msgrcv() was already ongoing and 
>> therefore the old permissions still apply - but then we don't need to 
>> recheck after sleeping at all.
>
> There is that, and furthermore we make no such guarantees under 
> concurrency.
> Another way of looking at it could perhaps be IPC_SET returning EPERM if
> there's an unserviced msgrcv -- but I'm not suggesting doing this btw ;)
I looked at it by comparing how we handle ipcperms and 
security_msg_queue_xx():
The security_msg_queue_xx are called under the lock, or actually the 
msgrcv even looks at the message that is transferred.

For ipc/sem.c and ipc/shm.c, both operations are called outside the lock.

So, my proposal would be that ipcperms and security_xx should show the 
same behavior regarding concurrent ops.
And this would mean that we should not move ipcperms() in msgrcv outside 
of the lock, i.e. drop the patch.

But if you have a better rational, feel free. But please document it in 
the changelog.

--
     Manfred

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ