lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 5 Jul 2017 19:45:25 -0700
From:   Kees Cook <>
To:     Andy Lutomirski <>
Cc:     Linus Torvalds <>,
        Michal Hocko <>,
        Ben Hutchings <>, Willy Tarreau <>,
        Hugh Dickins <>,
        Oleg Nesterov <>,
        "Jason A. Donenfeld" <>,
        Rik van Riel <>,
        Larry Woodman <>,
        "Kirill A. Shutemov" <>,
        Tony Luck <>,
        "James E.J. Bottomley" <>,
        Helge Diller <>,
        James Hogan <>,
        Laura Abbott <>, Greg KH <>,
        "" <>,
        Qualys Security Advisory <>,
        LKML <>,
        Ximin Luo <>
Subject: Re: [PATCH] mm: larger stack guard gap, between vmas

On Wed, Jul 5, 2017 at 5:19 PM, Andy Lutomirski <> wrote:
> On Wed, Jul 5, 2017 at 4:50 PM, Kees Cook <> wrote:
>> As part of that should we put restrictions on the environment of
>> set*id exec too? Part of the risks demonstrated by Qualys was that
>> allowing a privilege-elevating binary to inherit rlimits can have lead
>> to the nasty memory layout side-effects. That would fall into the
>> "hardening" bucket as well. And if it turns out there is some set*id
>> binary out there that can't run with "only", e.g., 128MB of stack, we
>> can make it configurable...
> Yes.  I think it's ridiculous that you can change rlimits and then
> exec a setuid thing.  It's not so easy to fix, though.  Maybe track,
> per-task, inherited by clone and exec, what the rlimits were the last
> time the process had privilege and reset to those limits when running
> something setuid.  But a better approach might be to have some sysctls
> that say what the rlimits become when doing setuid.
> We need per-user-ns sysctls for stuff like this, and we don't really
> have them...

In userspace, the way that sensible rlimit defaults were selected by
PAM when building an initial environment is to just examine the
rlimits of init. Maybe we could just do the same thing here, which
gives us some level of namespace control.


Kees Cook
Pixel Security

Powered by blists - more mailing lists