lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 16 Feb 2016 14:14:59 +0000
From:	Robert Shearman <rshearma@...cade.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
CC:	<davem@...emloft.net>, <netdev@...r.kernel.org>,
	Roopa Prabhu <roopa@...ulusnetworks.com>,
	Tom Herbert <tom@...bertland.com>, Thomas Graf <tgraf@...g.ch>,
	Jiri Benc <jbenc@...hat.com>
Subject: Re: [PATCH net-next 1/3] lwtunnel: autoload of lwt modules

On 15/02/16 21:33, Eric W. Biederman wrote:
> Robert Shearman <rshearma@...cade.com> writes:
>> @@ -85,6 +109,14 @@ int lwtunnel_build_state(struct net_device *dev, u16 encap_type,
>>   	ret = -EOPNOTSUPP;
>>   	rcu_read_lock();
>>   	ops = rcu_dereference(lwtun_encaps[encap_type]);
>> +#ifdef CONFIG_MODULES
>> +	if (!ops) {
>> +		rcu_read_unlock();
>> +		request_module("rtnl-lwt-%s", lwtunnel_encap_str(encap_type));
>> +		rcu_read_lock();
>> +		ops = rcu_dereference(lwtun_encaps[encap_type]);
>> +	}
>> +#endif
>>   	if (likely(ops && ops->build_state))
>>   		ret = ops->build_state(dev, encap, family, cfg, lws);
>>   	rcu_read_unlock();
>
> My memory is fuzzy on how this is done elsewhere but this looks like it
> needs a capability check to ensure that non-root user's can't trigger
> this.
>
> It tends to be problematic if a non-root user can trigger an autoload of
> a known-buggy module.  With a combination of user namespaces and network
> namespaces unprivileged users can cause just about every corner of the
> network stack to be exercised.

The same protections apply to this as to the IFLA_INFO_KIND module 
autoloading, namely by rtnetlink_rcv_msg ensuring that no messages other 
than gets can be done by an unprivileged user:

	type = nlh->nlmsg_type;
...
	type -= RTM_BASE;
...
	kind = type&3;

	if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
		return -EPERM;

The lwtunnel_build_state function is only called by the processing of 
non-get message types.

Is this sufficient or are you looking for something in addition?

Thanks,
Rob

Powered by blists - more mailing lists