| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180727143141.4b53d554@gandalf.local.home>
Date: Fri, 27 Jul 2018 14:31:41 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: Jann Horn <jannh@...gle.com>, Golden_Miller83@...tonmail.ch,
greg@...ah.com, Kees Cook <keescook@...gle.com>,
salyzyn@...roid.com, LKML <linux-kernel@...r.kernel.org>,
mingo@...hat.com, kernel-team@...roid.com, stable@...r.kernel.org,
kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] tracing: do not leak kernel addresses
On Fri, 27 Jul 2018 11:13:51 -0700
Nick Desaulniers <ndesaulniers@...gle.com> wrote:
> I found the internal bug report (reported Jan '17, you'll have to
> forgive me if my memory of the issue is hazy, or if the fix used at
> the time wasn't perfect), which was reported against the Nexus 6.
> >From the report, it was possible to `cat
> /sys/kernel/debug/tracing/printk_formats` without being root, which I
> can't do on my workstations much more modern kernel (Nexus 6 was
> 3.10). So I guess the question is what governs access to files below
> /sys/kernel/debug, and why was it missing from those kernels? I
> assume some check was added, but either not backported to 3.10 stable
> (or more likely not pulled in to Nexus 6's kernel through stable;
> Android is now in a much better place for that kind of issue).
As of commit 82aceae4f0d4 ("debugfs: more tightly restrict default
mount mode") /sys/kernel/debug has been default mounted as 0700 (root
only). But that was introduced in 3.7. Not sure why your 3.10 kernel
didn't have that. Perhaps there's another commit that fixed
permissions not being inherited?
-- Steve
Powered by blists - more mailing lists