lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150314223342.GA4146@chaz.gmail.com>
Date:	Sat, 14 Mar 2015 22:33:42 +0000
From:	Stephane Chazelas <stephane.chazelas@...il.com>
To:	netdev@...r.kernel.org
Cc:	Werner Almesberger <Werner.Almesberger@...l.ch>,
	Vic Abell <vabell@...f.comcastbiz.net>
Subject: newline characters in unix socket names and /proc/net/unix

Hello,

it seems the kernel doesn't escape newline characters in the
file names displayed in /proc/net/unix

That file has this format:

Num       RefCount Protocol Flags    Type St Inode Path
ffff8802441bcb40: 00000002 00000000 00000000 0002 01  9219 /run/systemd/shutdownd
ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane
[...]


and is used by things like fuser, lsof for instance to map Inode
to Path (and libgtop, systemd (to check which sockets are still
in use for cleanup) at least).

# fuser /run/systemd/shutdownd
/run/systemd/shutdownd:     1
# fuser /tmp/.menu-cached-:0-stephane
/tmp/.menu-cached-:0-stephane:  4263

Now, one can bind a socket like:

socket=$'/tmp/foo\nffff8802441bcb40: 00000002 00000000 00000000 0002 01  9219 /tmp/.menu-cached-:0-stephane'
mkdir -p "${socket%/*}"
nc -lU "$socket"

Now /proc/net/unix has

Num       RefCount Protocol Flags    Type St Inode Path
ffff8802441bcb40: 00000002 00000000 00000000 0002 01  9219 /run/systemd/shutdownd
ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane
ffff880104af9400: 00000002 00000000 00010000 0001 01 5918000 /tmp/foo
ffff8802441bcb40: 00000002 00000000 00000000 0002 01  9219 /tmp/.menu-cached-:0-stephane

And fuser gives:

# fuser /run/systemd/shutdownd
# fuser /tmp/.menu-cached-:0-stephane
/tmp/.menu-cached-:0-stephane:     1  4263

Which could be a problem if the output of fuser were used to
decide what process to kill (like with -k).

I think at least newline characters (and the escape character
itself) should be escaped in there, maybe do something similar
to what is currently done for the process name in
/proc/self/status

(fuser and lsof and the other tools would also need to be
updated to take the change into account, note that lsof already
chokes on space/tab/colon in there which I've already reported
to Vic).

Also note that /proc/net/unix doesn't change after a socket file
has been renamed, so even after that issue is fixed, fuser -k on
a socket may not be very reliable. Maybe it would help if the
filesystem device/inode for the socket file were added to
/proc/net/unix and/or if the path was updated like for the
symlink targets of /proc/self/fd/*.

-- 
Stephane
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ