| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Mar 2015 22:33:42 +0000
From: Stephane Chazelas <stephane.chazelas@...il.com>
To: netdev@...r.kernel.org
Cc: Werner Almesberger <Werner.Almesberger@...l.ch>,
Vic Abell <vabell@...f.comcastbiz.net>
Subject: newline characters in unix socket names and /proc/net/unix
Hello,
it seems the kernel doesn't escape newline characters in the
file names displayed in /proc/net/unix
That file has this format:
Num RefCount Protocol Flags Type St Inode Path
ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /run/systemd/shutdownd
ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane
[...]
and is used by things like fuser, lsof for instance to map Inode
to Path (and libgtop, systemd (to check which sockets are still
in use for cleanup) at least).
# fuser /run/systemd/shutdownd
/run/systemd/shutdownd: 1
# fuser /tmp/.menu-cached-:0-stephane
/tmp/.menu-cached-:0-stephane: 4263
Now, one can bind a socket like:
socket=$'/tmp/foo\nffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /tmp/.menu-cached-:0-stephane'
mkdir -p "${socket%/*}"
nc -lU "$socket"
Now /proc/net/unix has
Num RefCount Protocol Flags Type St Inode Path
ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /run/systemd/shutdownd
ffff8800a0651780: 00000002 00000000 00010000 0001 01 37020 /tmp/.menu-cached-:0-stephane
ffff880104af9400: 00000002 00000000 00010000 0001 01 5918000 /tmp/foo
ffff8802441bcb40: 00000002 00000000 00000000 0002 01 9219 /tmp/.menu-cached-:0-stephane
And fuser gives:
# fuser /run/systemd/shutdownd
# fuser /tmp/.menu-cached-:0-stephane
/tmp/.menu-cached-:0-stephane: 1 4263
Which could be a problem if the output of fuser were used to
decide what process to kill (like with -k).
I think at least newline characters (and the escape character
itself) should be escaped in there, maybe do something similar
to what is currently done for the process name in
/proc/self/status
(fuser and lsof and the other tools would also need to be
updated to take the change into account, note that lsof already
chokes on space/tab/colon in there which I've already reported
to Vic).
Also note that /proc/net/unix doesn't change after a socket file
has been renamed, so even after that issue is fixed, fuser -k on
a socket may not be very reliable. Maybe it would help if the
filesystem device/inode for the socket file were added to
/proc/net/unix and/or if the path was updated like for the
symlink targets of /proc/self/fd/*.
--
Stephane
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists