From: Al Viro <viro@ftp.linux.org.uk>
To: Kyle Moffett <mrmacman_g4@mac.com>
Cc: Ulrich Drepper <drepper@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Davide Libenzi <davidel@xmailserver.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>, Theodore Tso <tytso@mit.edu>,
Eric Dumazet <dada1@cosmosbay.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@elte.hu>
Subject: Re: [patch 7/8] fdmap v2 - implement sys_socket2
Date: Sat, 9 Jun 2007 21:06:45 +0100 [thread overview]
Message-ID: <20070609200645.GG4095@ftp.linux.org.uk> (raw)
In-Reply-To: <2E51520E-EC73-457F-809A-4749ED9A3C97@mac.com>
On Sat, Jun 09, 2007 at 03:27:43PM -0400, Kyle Moffett wrote:
> On Jun 09, 2007, at 13:24:29, Al Viro wrote:
> >On Sat, Jun 09, 2007 at 10:08:59AM -0700, Ulrich Drepper wrote:
> >>- - there are two interface to use: open + fcntl. This is racy.
> >>And don't tell me this doesn't matter.
> >Racy with respect to what? Return-to-libc exploits from another
> >thread?
>
> How about racy with respect to normal open
How the hell can it be racy wrt normal open()? F_DUPFD is not dup2(),
it's non-overriding.
> or fork+exec from another
> thread? Specifically there are cases where libc or other libraries
> want to create a backend thread dealing with file descriptors in
> response to the program's straightforward calls into that library
> (Examples include using syslets or event-based polling threads).
>
>
> SCENARIO 1:
>
> Program Thread: Library Thread:
> fd = socket(AF_*, SOCK_*, 0);
> fork();
> int x = FD_CLOEXEC;
> fcntl(fd, F_SETFD, &x);
>
> New Process:
> setgroups(...);
> seteuid(...);
> exec(....);
>
> Whoops!!! Suddenly the user process executed by the (theoretically)
> single-threaded program got a handle to a netlink socket affecting
> some system resource!!!
Give me a break. fork(3) is nowhere near plain fork(2); read the nptl
code for details. Getting a low-overhead exclusion into that scheme is not
a rocket science. And lose the bangs, please...
> SCENARIO 2:
>
> Program Thread: Async libc getpwent()-cache syslet
> close(0);
> fd = open("/etc/shadow");
> open("/dev/null");
> code_which_insecurely_reads_from_stdin();
>From what, again? Use of stdio after that is deep in nasal demon land...
next prev parent reply other threads:[~2007-06-09 20:07 UTC|newest]
Thread overview: 129+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-06 22:30 [patch 7/8] fdmap v2 - implement sys_socket2 Davide Libenzi
2007-06-06 22:44 ` David Miller
2007-06-06 22:52 ` Davide Libenzi
2007-06-06 22:57 ` David Miller
2007-06-06 22:57 ` Ulrich Drepper
2007-06-06 23:02 ` David Miller
2007-06-06 22:59 ` Alan Cox
2007-06-06 22:58 ` Ulrich Drepper
2007-06-06 23:04 ` Davide Libenzi
2007-06-06 23:08 ` David Miller
2007-06-06 23:19 ` Alan Cox
2007-06-06 23:22 ` Ulrich Drepper
2007-06-07 10:04 ` Alan Cox
2007-06-07 11:59 ` Kyle Moffett
2007-06-07 13:12 ` Eric Dumazet
2007-06-07 15:51 ` Davide Libenzi
2007-06-07 19:49 ` Davide Libenzi
2007-06-07 20:02 ` Ulrich Drepper
2007-06-07 20:05 ` Eric Dumazet
2007-06-07 20:18 ` Ulrich Drepper
2007-06-07 21:44 ` Davide Libenzi
2007-06-07 22:03 ` Ulrich Drepper
2007-06-07 22:40 ` Davide Libenzi
2007-06-08 12:07 ` Theodore Tso
2007-06-08 13:01 ` Alan Cox
2007-06-08 18:11 ` Davide Libenzi
2007-06-08 18:26 ` Alan Cox
2007-06-08 18:43 ` Ulrich Drepper
2007-06-08 18:46 ` Al Viro
2007-06-08 18:56 ` Ulrich Drepper
2007-06-08 19:07 ` Linus Torvalds
2007-06-08 19:21 ` Davide Libenzi
2007-06-09 0:03 ` Linus Torvalds
2007-06-09 0:13 ` Davide Libenzi
2007-06-09 0:36 ` Al Viro
2007-06-09 1:19 ` Ulrich Drepper
2007-06-09 1:41 ` Al Viro
2007-06-09 2:10 ` Ulrich Drepper
2007-06-09 15:15 ` Al Viro
2007-06-09 16:26 ` Ulrich Drepper
2007-06-09 16:54 ` Al Viro
2007-06-09 17:04 ` Davide Libenzi
2007-06-09 17:08 ` Davide Libenzi
2007-06-09 17:08 ` Ulrich Drepper
2007-06-09 17:24 ` Al Viro
2007-06-09 19:27 ` Kyle Moffett
2007-06-09 20:06 ` Al Viro [this message]
2007-06-09 20:21 ` Linus Torvalds
2007-06-09 20:31 ` Davide Libenzi
2007-06-09 21:41 ` Matt Mackall
2007-06-09 22:12 ` Davide Libenzi
2007-06-09 20:49 ` Al Viro
2007-06-09 21:55 ` Matt Mackall
2007-06-09 23:33 ` Linus Torvalds
2007-06-10 3:35 ` Davide Libenzi
2007-06-10 3:49 ` Davide Libenzi
2007-06-10 3:19 ` Al Viro
2007-06-10 3:48 ` Linus Torvalds
2007-06-10 4:00 ` Al Viro
2007-06-10 4:03 ` Linus Torvalds
2007-06-10 4:06 ` Al Viro
2007-06-10 4:45 ` dean gaudet
2007-06-10 5:06 ` Linus Torvalds
2007-06-10 5:46 ` Al Viro
2007-06-10 17:23 ` Linus Torvalds
2007-06-10 6:35 ` Kari Hurtta
2007-06-10 15:21 ` Alan Cox
2007-06-10 9:14 ` Eric Dumazet
2007-06-10 15:16 ` Alan Cox
2007-06-10 18:19 ` Linus Torvalds
2007-06-10 2:40 ` Al Viro
2007-06-08 19:34 ` Alan Cox
2007-06-08 19:30 ` Alan Cox
2007-06-08 19:37 ` Davide Libenzi
2007-06-08 19:48 ` Alan Cox
2007-06-08 19:51 ` Davide Libenzi
2007-06-08 21:24 ` Alan Cox
2007-06-08 21:59 ` Davide Libenzi
2007-06-08 22:28 ` Alan Cox
2007-06-08 22:38 ` Davide Libenzi
2007-06-11 8:24 ` Xavier Bestel
2007-06-08 19:22 ` Davide Libenzi
2007-06-09 5:41 ` Paul Mackerras
2007-06-09 14:38 ` Kyle Moffett
2007-06-10 6:48 ` Paul Mackerras
2007-06-10 15:56 ` Davide Libenzi
2007-06-10 19:16 ` Davide Libenzi
2007-06-09 17:00 ` Davide Libenzi
2007-06-10 6:26 ` Paul Mackerras
2007-06-10 7:10 ` William Lee Irwin III
2007-06-10 15:52 ` Davide Libenzi
2007-06-08 18:07 ` Davide Libenzi
2007-06-08 18:35 ` Linus Torvalds
2007-06-07 21:57 ` Davide Libenzi
2007-06-08 4:38 ` Eric Dumazet
2007-06-08 5:20 ` Davide Libenzi
2007-06-07 14:25 ` Ulrich Drepper
2007-06-07 17:56 ` Eric Dumazet
2007-06-07 18:03 ` Davide Libenzi
2007-06-07 18:57 ` Eric Dumazet
2007-06-07 18:26 ` Ulrich Drepper
2007-06-07 18:39 ` Davide Libenzi
2007-06-07 18:56 ` Ulrich Drepper
2007-06-07 19:12 ` Davide Libenzi
2007-06-07 20:03 ` Andrew Morton
2007-06-08 2:55 ` Ulrich Drepper
2007-06-08 5:16 ` Davide Libenzi
2007-06-06 23:29 ` Davide Libenzi
2007-06-07 10:06 ` Alan Cox
2007-06-07 10:45 ` Eric Dumazet
2007-06-07 11:27 ` Alan Cox
2007-06-07 15:41 ` Davide Libenzi
2007-06-07 20:10 ` Linus Torvalds
2007-06-07 20:47 ` Eric Dumazet
2007-06-07 21:08 ` Linus Torvalds
2007-06-07 21:41 ` Davide Libenzi
2007-06-07 20:59 ` Guillaume Chazarain
2007-06-07 21:06 ` Guillaume Chazarain
2007-06-07 21:31 ` Ulrich Drepper
2007-06-07 22:22 ` Davide Libenzi
2007-06-07 23:42 ` Linus Torvalds
2007-06-08 0:04 ` Davide Libenzi
2007-06-08 0:59 ` Matt Mackall
2007-06-08 2:25 ` Linus Torvalds
2007-06-08 15:56 ` Jeff Dike
2007-06-07 0:29 ` Arnd Bergmann
2007-06-07 0:33 ` Davide Libenzi
-- strict thread matches above, loose matches on Subject: below --
2007-06-06 22:30 [patch 1/8] fdmap v2 - fdmap core Davide Libenzi
2007-06-07 6:54 ` Eric Dumazet
2007-06-07 7:10 ` Davide Libenzi
2007-06-07 10:39 ` [patch 7/8] fdmap v2 - implement sys_socket2 Eric Dumazet
2007-06-07 15:42 ` Davide Libenzi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070609200645.GG4095@ftp.linux.org.uk \
--to=viro@ftp.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dada1@cosmosbay.com \
--cc=davidel@xmailserver.org \
--cc=drepper@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mrmacman_g4@mac.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.