lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Mar 2015 22:33:42 +0000 From: Stephane Chazelas <stephane.chazelas@...il.com> To: netdev@...r.kernel.org Cc: Werner Almesberger <Werner.Almesberger@...l.ch>, Vic Abell <vabell@...f.comcastbiz.net> Subject: newline characters in unix socket names and /proc/net/unix Hello, it seems the kernel doesn't escape newline characters in the file names displayed in /proc/net/unix That file has this format: Num RefCount Protocol Flags Type St Inode Path ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /run/systemd/shutdownd ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane [...] and is used by things like fuser, lsof for instance to map Inode to Path (and libgtop, systemd (to check which sockets are still in use for cleanup) at least). # fuser /run/systemd/shutdownd /run/systemd/shutdownd: 1 # fuser /tmp/.menu-cached-:0-stephane /tmp/.menu-cached-:0-stephane: 4263 Now, one can bind a socket like: socket=$'/tmp/foo\nffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /tmp/.menu-cached-:0-stephane' mkdir -p "${socket%/*}" nc -lU "$socket" Now /proc/net/unix has Num RefCount Protocol Flags Type St Inode Path ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /run/systemd/shutdownd ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane ffff880104af9400: 00000002 00000000 00010000 0001 01 5918000 /tmp/foo ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /tmp/.menu-cached-:0-stephane And fuser gives: # fuser /run/systemd/shutdownd # fuser /tmp/.menu-cached-:0-stephane /tmp/.menu-cached-:0-stephane: 1 4263 Which could be a problem if the output of fuser were used to decide what process to kill (like with -k). I think at least newline characters (and the escape character itself) should be escaped in there, maybe do something similar to what is currently done for the process name in /proc/self/status (fuser and lsof and the other tools would also need to be updated to take the change into account, note that lsof already chokes on space/tab/colon in there which I've already reported to Vic). Also note that /proc/net/unix doesn't change after a socket file has been renamed, so even after that issue is fixed, fuser -k on a socket may not be very reliable. Maybe it would help if the filesystem device/inode for the socket file were added to /proc/net/unix and/or if the path was updated like for the symlink targets of /proc/self/fd/*. -- Stephane -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists