From: Pete Zaitcev <zaitcev@redhat.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: torvalds@osdl.org, vsu@altlinux.ru, laforge@gnumonks.org,
linux-usb-devel@lists.sourceforge.net, vendor-sec@lst.de,
linux-kernel@vger.kernel.org, greg@kroah.com,
security@linux.kernel.org, zaitcev@redhat.com
Subject: Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
Date: Thu, 13 Oct 2005 16:00:10 -0700 [thread overview]
Message-ID: <20051013160010.7cc532ae.zaitcev@redhat.com> (raw)
In-Reply-To: <1127840281.10674.5.camel@localhost.localdomain>
On Tue, 27 Sep 2005 17:58:00 +0100, Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
> On Maw, 2005-09-27 at 09:09 -0700, Linus Torvalds wrote:
> > > root-owned), then the urb completes, and kill_proc_info() sends the
> > > signal to the unsuspecting process.
> >
> > Ehh.. pid's don't get re-used until they wrap.
>
> Which doesn't take very long to arrange. Relying on pids is definitely a
> security problem we don't want to make worse than it already is.
The whole application cannot exit and leave URBs running behind,
because usbdevio_release() blocks until they are terminated.
Only separate threads can exit.
So, the only thing a malicious user can do is something like this:
- open /proc/bus/usb/BUS/DEV
- submit URB
- fork
- exit parent thread
- wait in the child until PIDs wrap very close to former parent
- exit and hope that someone forks while the exit is processing
Right? But if so, why don't we do something like this:
submit_urb()
as->pid = current->pid;
as->tgid = current->tgid;
.....
async_complete()
__kill_same_process(as->pid, as->tgid);
/* DO NOT USE IN DRIVERS (other than USB core) */
__kill_same_process(pid_t pid, pid_t tgid) {
task_struct *we, *maybe_parent;
lock(&tasklist_lock);
we = find_task_by_pid(pid);
maybe_parent = find_task_by_tgid(pid);
if (maybe_parent != NULL && we->parent == maybe_parent)
send_sig_info(sig, info, we);
unlock(&tasklist_lock);
}
This does not need to check any IDs, I think. Then we do not have to
ponder if effective or real is more appropriate, and if any sort of
new-fanged security thingies like capabilities apply.
-- Pete
next prev parent reply other threads:[~2005-10-13 23:00 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-25 15:13 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio Harald Welte
2005-09-27 8:04 ` [vendor-sec] " Greg KH
2005-09-27 9:13 ` Greg KH
[not found] ` <20050927110319.GD1980@piware.de>
2005-09-27 12:22 ` [vendor-sec] " Greg KH
2005-09-27 12:48 ` [vendor-sec] " Christoph Hellwig
2005-09-27 12:57 ` Greg KH
2005-09-27 12:59 ` Christoph Hellwig
2005-09-27 13:09 ` Greg KH
2005-09-27 15:27 ` David Brownell
2005-09-27 14:53 ` [Security] " Linus Torvalds
2005-09-27 16:00 ` [linux-usb-devel] " Sergey Vlasov
2005-09-27 16:09 ` Linus Torvalds
2005-09-27 16:52 ` Sergey Vlasov
2005-09-27 17:02 ` Linus Torvalds
2005-09-30 10:47 ` Harald Welte
2005-09-30 14:56 ` Linus Torvalds
2005-09-30 18:44 ` Chris Wright
2005-09-30 19:27 ` Linus Torvalds
2005-09-30 20:38 ` Chris Wright
2005-09-30 22:08 ` Harald Welte
2005-09-30 22:16 ` Linus Torvalds
2005-10-10 17:44 ` Harald Welte
2005-10-10 18:07 ` Chris Wright
2005-10-11 9:45 ` Harald Welte
2005-10-11 23:10 ` [vendor-sec] " Greg KH
2005-10-11 23:44 ` Linus Torvalds
2005-10-12 7:24 ` Harald Welte
2005-10-13 5:51 ` Horms
2005-10-11 13:57 ` Bernd Petrovitsch
2005-10-10 18:19 ` Linus Torvalds
2005-10-10 22:47 ` Chris Wright
2005-10-10 20:03 ` [linux-usb-devel] " Alan Stern
2005-10-11 8:28 ` Harald Welte
2005-10-11 17:37 ` Paul Jackson
2005-10-11 17:58 ` linux-os (Dick Johnson)
2005-10-11 19:13 ` Alan Stern
2005-10-11 20:02 ` [Security] " Alan Cox
2005-09-27 17:20 ` PID reuse safety for userspace apps (Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio) Solar Designer
2005-09-27 20:34 ` Alan Cox
2005-09-27 20:42 ` Linus Torvalds
2005-09-27 21:16 ` Solar Designer
2005-09-27 21:03 ` Solar Designer
2005-09-27 16:58 ` [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio Alan Cox
2005-09-27 16:59 ` Linus Torvalds
2005-09-27 20:35 ` Alan Cox
2005-10-13 23:00 ` Pete Zaitcev [this message]
2005-10-13 23:16 ` Linus Torvalds
2005-10-13 23:56 ` Pete Zaitcev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051013160010.7cc532ae.zaitcev@redhat.com \
--to=zaitcev@redhat.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=greg@kroah.com \
--cc=laforge@gnumonks.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
--cc=security@linux.kernel.org \
--cc=torvalds@osdl.org \
--cc=vendor-sec@lst.de \
--cc=vsu@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.