lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200324115212.GA10095@redhat.com>
Date:   Tue, 24 Mar 2020 12:52:12 +0100
From:   Oleg Nesterov <oleg@...hat.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Davidlohr Bueso <dave@...olabs.net>,
        Manfred Spraul <manfred@...orfullife.com>,
        Markus Elfring <elfring@...rs.sourceforge.net>,
        Yoji <yoji.fujihar.min@...il.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipc/mqueue.c: change __do_notify() to bypass
 check_kill_permission()

On 03/23, Eric W. Biederman wrote:
>
> So far what we have is a report Oleg has read somewhere that some
> program doing something regressed, and his patch to fix that specific
> program.  This problem was not noticed for several years.

Yes, this was reported on bugzilla.redhat.com, I'll add you to CC list.

> Presumably the problem is that a message queue was written to by one
> user and was read by another user to cause check_kill_permission to
> fail. Can someone tell me if that was the case?

I do not know. Yoji, did you hit this bug or did you find it by code
inspection ?

> So I am looking for something that makes it clear we are not removing
> a permission checking and backporting a security hole.

Yes, I thought about this too. I can be easily wrong, please correct me,
but I came to conclusion the old behaviour (no permission check) is fine
security-wise.

> Further even if in the common case it is the right thing to do to remove
> the permission check, the handling around exec looks bad enough that we
> will be backporting a security hole if we don't fix that and backport
> that at the same time.

could you explain what exactly you do not like wrt mq_notify/exec ?
I must have missed something.

> p.s. I am grouchy as temporary fixes in this part of the code base
>      don't tend to be temporary  and the entire signal/exec/ptrace world
>      is bordering on unmaintainble and incomprehensible as a result.

Eric, please feel free to make another fix you like more. I know that
I can't convince you anyway, I won't argue.
Oleg.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ