| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161024190034.GA29407@outlook.office365.com>
Date: Mon, 24 Oct 2016 12:00:35 -0700
From: Andrey Vagin <avagin@...tuozzo.com>
To: Cyrill Gorcunov <gorcunov@...il.com>
CC: "Eric W. Biederman" <ebiederm@...ssion.com>,
LKML <linux-kernel@...r.kernel.org>,
Pavel Emelyanov <xemul@...tuozzo.com>
Subject: Re: [ISSUE] mm: Add a user_ns owner to mm_struct and fix
ptrace_may_access
On Mon, Oct 24, 2016 at 01:59:59PM +0300, Cyrill Gorcunov wrote:
> Hi Eric! A few days ago we've noticed that our zombie00 test case started
> failing: https://ci.openvz.org/job/CRIU/view/All/job/CRIU-linux-next/406/console
> ---
> ======================== Run zdtm/static/zombie00 in h =========================
> Start test
> ./zombie00 --pidfile=zombie00.pid --outfile=zombie00.out
> Run criu dump
> Run criu restore
> Send the 15 signal to 30
> Wait for zdtm/static/zombie00(30) to die for 0.100000
> ################ Test zdtm/static/zombie00 FAIL at result check ################
>
> I've narrowed problem down to commit
>
> | From ce99dd5fd5f600f9f4f0d37bb8847c1cb7c6e4fc Mon Sep 17 00:00:00 2001
> | From: "Eric W. Biederman" <ebiederm@...ssion.com>
> | Date: Thu, 13 Oct 2016 21:23:16 -0500
> | Subject: [PATCH] mm: Add a user_ns owner to mm_struct and fix
> | ptrace_may_access
> |
> | During exec dumpable is cleared if the file that is being executed is
> | not readable by the user executing the file. A bug in
> | ptrace_may_access allows reading the file if the executable happens to
> | enter into a subordinate user namespace (aka clone(CLONE_NEWUSER),
> | unshare(CLONE_NEWUSER), or setns(fd, CLONE_NEWUSER).
>
> and the reason is that the zombie tasks do not have task::mm and in resut
> we're obtaining -EPERM when trying to read task->exit_code from /proc/pid/stat.
To be precise,
we are obtaining 0 instead of task->exit_ode, because permitted is
false:
static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
...
permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS |
PTRACE_MODE_NOAUDIT);
...
if (permitted)
seq_put_decimal_ll(m, " ", task->exit_code);
else
seq_puts(m, " 0");
>
> Looking into commit I suspect when mm = NULL we've to move back the test
> ptrace_has_cap(__task_cred(task)->user_ns, mode)?
Powered by blists - more mailing lists