lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20190923145528.963075294@linutronix.de>
Date:   Mon, 23 Sep 2019 16:54:41 +0200
From:   Thomas Gleixner <tglx@...utronix.de>
To:     LKML <linux-kernel@...r.kernel.org>
Cc:     Frederic Weisbecker <fweisbec@...il.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...nel.org>,
        Oleg Nesterov <oleg@...hat.com>,
        Michael Kerrisk <mtk.manpages@...glemail.com>,
        Kees Cook <keescook@...omium.org>
Subject: [patch V2 6/6] posix-cpu-timers: Return -EPERM if ptrace permission
 check fails

Returning -EINVAL when a permission check fails is not really intuitive and
can cause hard to diagnose problems.

The POSIX specification for clock_gettime() and timer_create() requires to
obtain the clock id first by invoking clock_getcpuclockid().

clock_getcpuclockid() can return -EPERM if the caller does not have
permissions. That does not make sense in two aspects:

 - Nothing prevents the caller to make up a clockid and feed it into the
   syscalls

 - clock_getcpuclockid() is a helper function in glibc which just mangles
   the PID/TID bits to the proper place and glibc cannot do any permission
   checks at all for this function.

In order to prevent abuse the kernel has to do the permission checking in
timer_create() and clock_gettime(). Those functions have only -EINVAL as
documented return values, but returning -EINVAL for a valid clockid when
the permission check fails is not understandable for programmers.

So ignore the POSIX specification and return -EPERM when the ptrace
permission check fails.

Suggested-by: Peter Zijlstra <peterz@...radead.org>
Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
---
V2: New patch.

TODO: Update timer_create.2 and clock_gettime.2 manpages
---
 kernel/time/posix-cpu-timers.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -107,7 +107,7 @@ static struct task_struct *lookup_task(c
 	}
 
 	/* Decide based on the ptrace permissions. */
-	return ptrace_may_access(p, mode) ? p : ERR_PTR(-EINVAL);
+	return ptrace_may_access(p, mode) ? p : ERR_PTR(-EPERM);
 }
 
 static struct task_struct *__get_task_for_clock(const clockid_t clock,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ