From: Frederik Deweerdt <deweerdt@free.fr>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Amnon Shiloh <amnons@cs.huji.ac.il>,
linux-kernel@vger.kernel.org, akpm@osdl.org, gregkh@suse.de
Subject: Re: [2.6.18 patch] fix mem_write return value (was: Re: bug report: mem_write)
Date: Thu, 24 Aug 2006 22:07:47 +0000 [thread overview]
Message-ID: <20060824220747.GA3197@slug> (raw)
In-Reply-To: <m17j0ym6un.fsf@ebiederm.dsl.xmission.com>
On Thu, Aug 24, 2006 at 10:33:20AM -0600, Eric W. Biederman wrote:
> Frederik Deweerdt <deweerdt@free.fr> writes:
>
> > On Thu, Aug 24, 2006 at 11:25:37AM +0300, Amnon Shiloh wrote:
> >> Hi,
> >>
> >> Alright, I know that "mem_write" (fs/proc/base.c) is a "security hazard",
> >> but I need to use it anyway (as super-user only), and find it broken,
> >> somewhere between Linux-2.6.17 and Linux-2.6.18-rc4.
> >>
> >> The point is that in the beginning of the routine, "copied" is set to 0,
> >> but it is no good because in lines 805 and 812 it is set to other values.
> >> Finally, the routine returns as if it copied 12 (=ENOMEM) bytes less than
> >> it actually did.
> > True, it looks like the faulty commit is:
> > de7587343bfebc186995ad294e3de0da382eb9bc
>
> Actually it was: 99f895518368252ba862cc15ce4eb98ebbe1bec6
> Which is what you url points to, odd.
>
> > http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=99f895518368252ba862cc15ce4eb98ebbe1bec6;hp=8578cea7509cbdec25b31d08b48a92fcc3b1a9e3
> >
> > The attached patch should fix it. Maybe that should go to 2.6.18.
> > Thanks for the bug report,
>
> The patch looks correct. Although this won't cause anyone problems as the code
> is disabled.
Right, I missed this, so this is really not urgent.
>
> Signed-off-by: Eric Biederman <ebiederm@xmission.com>
>
> As for enabling this. I believe we need an extra permission check just before
> we copy the data from our temporary buffer to the target task, to ensure
> nothing has changed. The history does not really capture why this code
> was disabled, but before this gets enabled I would like to understand more
> than just the comment. I believe with a little care this can be safely enabled
> as it doesn't let you do anything ptrace wouldn't do, and it should let you do
> it anytime except when ptrace would allow it. Thus not introducing any new
> security holes.
I've found two interesting links on that:
http://lkml.org/lkml/2006/3/10/224
and
http://www.google.com/search?q=cache:4y8MWSuHOpIJ:files.security-protocols.com/kernelhacking/procpidmem.pdf&hl=en&ct=clnk&cd=3&client=firefox-a
The second one in particular goes in great detail on why the author
thinks this is dangerous, and what could be done to re-enable it.
Regards,
Frederik
next prev parent reply other threads:[~2006-08-24 20:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-24 8:25 bug report: mem_write Amnon Shiloh
2006-08-24 10:35 ` Gerard J Snitselaar
2006-08-24 14:00 ` [2.6.18 patch] fix mem_write return value (was: Re: bug report: mem_write) Frederik Deweerdt
2006-08-24 16:33 ` Eric W. Biederman
2006-08-24 22:07 ` Frederik Deweerdt [this message]
2006-08-25 1:05 ` Amnon Shiloh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060824220747.GA3197@slug \
--to=deweerdt@free.fr \
--cc=akpm@osdl.org \
--cc=amnons@cs.huji.ac.il \
--cc=ebiederm@xmission.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.