lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 13 Feb 2019 17:35:17 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Samuel Dionne-Riel <samuel@...nne-riel.com>
Cc:     Richard Weinberger <richard.weinberger@...il.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Graham Christensen <graham@...hamc.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Michal Hocko <mhocko@...e.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: Userspace regression in LTS and stable kernels

On Wed, Feb 13, 2019 at 5:27 PM Samuel Dionne-Riel
<samuel@...nne-riel.com> wrote:
> If I understand right, you're asking whether it should return NOEXEC
> if, of the first 128 bytes of the shebang, there are no spaces, but a
> too long shebang? I wouldn't know for sure. The behaviour would
> change. Instead failing due to trying to execute a shortened path, it
> would fall back to the shell interpreter interpreting the file, which,
> due to the inclusion of a specific shebang, might be a wrong
> assumption still. Here I believe it's still in the "undefined
> behaviour" territory, but one where it fails early for the userspace.

The original problem that was trying to be fixed here was to disallow
execution of a truncated interpreter path. It was assumed argument
truncate was just as bad, but it's not, since the interpreter can (and
does!) re-read the script to get the right arguments.

So, I've sent a fix-up patch that should disallow the path truncation,
but pass through the argument truncation as before. This passes all
the tests I built:

$ ls -l /AAA*/perl
-rwxr-xr-x 1 root root 129 Feb 13 17:17
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl
-rwxr-xr-x 1 root root 129 Feb 13 17:17
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl
-rwxr-xr-x 1 root root 129 Feb 13 17:17
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl
-rwxr-xr-x 1 root root 129 Feb 13 17:17
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl
-rwxr-xr-x 1 root root 129 Feb 13 17:17
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl

$ ./test.pl
Arg # 0 : /nix/store/mbwav8kz8b3y471wjsybgzw84mrh4js9-perl-5.28.1/bin/perl
Arg # 1 : -I/nix/store/x6yyav38jgr924nkna62q3pkp0dgmzlx-perl5.28.1-Fi
Arg # 2 : ./test.pl
$ ./AAAA.pl
Error: no such file "I should fail to run huge interp\n"
$ ./A128.pl
Error: no such file "I should fail to run 128 byte buf interp\n"
$ ./A127.pl
Error: no such file "I should fail to run 127 byte buf interp\n"
$ ./A126.pl
Arg # 0 : '/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl'
Arg # 1 : './A126.pl'
$ ./A125space.pl
Arg # 0 : '/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/perl'
Arg # 1 : './A125space.pl'

Are you able to test the patch and report back?

Thanks again for bringing this to our attention!

-- 
Kees Cook

Powered by blists - more mailing lists