| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJqdLroQx3v-xD279phQB1ToF70T-2cAbAA0SC-nbnAK+EHGmA@mail.gmail.com>
Date: Thu, 15 May 2025 16:03:49 +0200
From: Alexander Mikhalitsyn <alexander@...alicyn.com>
To: Christian Brauner <brauner@...nel.org>
Cc: linux-fsdevel@...r.kernel.org, Jann Horn <jannh@...gle.com>,
Daniel Borkmann <daniel@...earbox.net>, Kuniyuki Iwashima <kuniyu@...zon.com>,
Eric Dumazet <edumazet@...gle.com>, Oleg Nesterov <oleg@...hat.com>,
"David S. Miller" <davem@...emloft.net>, Alexander Viro <viro@...iv.linux.org.uk>,
Daan De Meyer <daan.j.demeyer@...il.com>, David Rheinsberg <david@...dahead.eu>,
Jakub Kicinski <kuba@...nel.org>, Jan Kara <jack@...e.cz>,
Lennart Poettering <lennart@...ttering.net>, Luca Boccassi <bluca@...ian.org>, Mike Yuan <me@...dnzj.com>,
Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Zbigniew Jędrzejewski-Szmek <zbyszek@...waw.pl>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v7 7/9] coredump: validate socket name as it is written
Am Do., 15. Mai 2025 um 00:04 Uhr schrieb Christian Brauner
<brauner@...nel.org>:
>
> In contrast to other parameters written into
> /proc/sys/kernel/core_pattern that never fail we can validate enabling
> the new AF_UNIX support. This is obviously racy as hell but it's always
> been that way.
>
> Signed-off-by: Christian Brauner <brauner@...nel.org>
Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
> ---
> fs/coredump.c | 37 ++++++++++++++++++++++++++++++++++---
> 1 file changed, 34 insertions(+), 3 deletions(-)
>
> diff --git a/fs/coredump.c b/fs/coredump.c
> index 6ee38e3da108..d4ff08ef03e5 100644
> --- a/fs/coredump.c
> +++ b/fs/coredump.c
> @@ -1228,13 +1228,44 @@ void validate_coredump_safety(void)
> }
> }
>
> +static inline bool check_coredump_socket(void)
> +{
> + if (core_pattern[0] != '@')
> + return true;
> +
> + /*
> + * Coredump socket must be located in the initial mount
> + * namespace. Don't give the that impression anything else is
> + * supported right now.
> + */
> + if (current->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns)
> + return false;
> +
> + /* Must be an absolute path. */
> + if (*(core_pattern + 1) != '/')
> + return false;
> +
> + return true;
> +}
> +
> static int proc_dostring_coredump(const struct ctl_table *table, int write,
> void *buffer, size_t *lenp, loff_t *ppos)
> {
> - int error = proc_dostring(table, write, buffer, lenp, ppos);
> + int error;
> + ssize_t retval;
> + char old_core_pattern[CORENAME_MAX_SIZE];
> +
> + retval = strscpy(old_core_pattern, core_pattern, CORENAME_MAX_SIZE);
> +
> + error = proc_dostring(table, write, buffer, lenp, ppos);
> + if (error)
> + return error;
> + if (!check_coredump_socket()) {
> + strscpy(core_pattern, old_core_pattern, retval + 1);
> + return -EINVAL;
> + }
>
> - if (!error)
> - validate_coredump_safety();
> + validate_coredump_safety();
> return error;
> }
>
>
> --
> 2.47.2
>
Powered by blists - more mailing lists