lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250509-querschnitt-fotokopien-6ae91dfdac45@brauner>
Date: Fri, 9 May 2025 17:40:14 +0200
From: Christian Brauner <brauner@...nel.org>
To: linux-fsdevel@...r.kernel.org, Jann Horn <jannh@...gle.com>, 
	Daniel Borkmann <daniel@...earbox.net>, Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: Eric Dumazet <edumazet@...gle.com>, Oleg Nesterov <oleg@...hat.com>, 
	"David S. Miller" <davem@...emloft.net>, Alexander Viro <viro@...iv.linux.org.uk>, 
	Daan De Meyer <daan.j.demeyer@...il.com>, David Rheinsberg <david@...dahead.eu>, 
	Jakub Kicinski <kuba@...nel.org>, Jan Kara <jack@...e.cz>, 
	Lennart Poettering <lennart@...ttering.net>, Luca Boccassi <bluca@...ian.org>, Mike Yuan <me@...dnzj.com>, 
	Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, 
	Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, 
	linux-security-module@...r.kernel.org, Alexander Mikhalitsyn <alexander@...alicyn.com>
Subject: Re: [PATCH v5 4/9] coredump: add coredump socket

> Userspace can set /proc/sys/kernel/core_pattern to:
> 
>         @linuxafsk/coredump_socket

I have one other proposal that:

- avoids reserving a specific address
- doesn't require bpf or lsm to be safe
- allows for safe restart and crashes of the coredump sever

To set up a coredump socket the coredump server must allocate a socket
cookie for the listening socket via SO_COOKIE. The socket cookie must be
used as the prefix in the abstract address for the coredump socket. It
can be followed by a \0 byte and then followed by whatever the coredump
server wants. For example:

12345678\0coredump.socket

When a task crashes and generates a coredump it will find the provided
address but also compare the prefixed SO_COOKIE value with the socket
cookie of the socket listening at that address. If they don't match it
will refuse to connect.

So even if the coredump server restarts or crashes and unprivileged
userspace recycles the socket address for an attack the crashing process
will detect this as the new listening socket will have gotten either a
new or no SO_COOKIE and the crashing process will not connect.

The coredump server just sets /proc/sys/kernel/core_pattern to:

        @SO_COOKIE/whatever

The "@" at the beginning indicates to the kernel that the abstract
AF_UNIX coredump socket will be used to process coredumps and the
indicating the end of the SO_COOKIE and the rest of the name.

Appended what that would look like.

View attachment "0001-coredump-add-coredump-socket.patch" of type "text/x-diff" (15284 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ