From: Jack Lloyd <lloyd@randombit.net>
To: gcc@gcc.gnu.org, linux-kernel@vger.kernel.org
Subject: Re: RELEASE BLOCKER: Linux doesn't follow x86/x86-64 ABI wrt direction flag
Date: Thu, 6 Mar 2008 15:16:33 -0500 [thread overview]
Message-ID: <20080306201633.GM27983@randombit.net> (raw)
In-Reply-To: <47D0495F.2090109@gnu.org>
On Thu, Mar 06, 2008 at 08:43:27PM +0100, Paolo Bonzini wrote:
> Jack Lloyd wrote:
> >On Thu, Mar 06, 2008 at 07:13:20PM +0100, Paolo Bonzini wrote:
> >>A process can send a signal via kill. IOW, a malicious process can
> >>*control when the process would be interrupted* in order to get it into
> >>the signal handler with DF=1.
> >
> >If the malicious process can send a signal to another process, it
> >could also ptrace() it. Which is more useful, if you wanted to be
> >malicious?
>
> 1) capabilities(7)
Ah you are right, I misinterpreted something from the man page
("non-root processes cannot trace processes that they cannot send
signals to") to mean something it did not (basically, that CAP_KILL
implied CAP_SYS_PTRACE, which from reading the kernel source is
clearly not the case...)
But still: so the threat here is of a malicious process with the
ability to send arbitrary signals to any process using CAP_KILL (since
in any other case when a process can send a signal, it can do much
more damage in other ways), which could leverage that into
(potentially) uid==0 using misexecuted code in a signal handler.
As a correctness issue, obviously this should be fixed/patched around,
if feasible. But as a security flaw? I'm not seeing much that is
compelling.
> 2) sometimes setuid programs send signals (e.g. SIGHUP or SIGUSR1)
I don't understand how this is a problem - unless these setuid
programs, while not malicious, can be tricked into signalling a
process they did not intend to. (In which case they already have a
major bug, df bit being cleared or not).
-Jack
next prev parent reply other threads:[~2008-03-06 20:16 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 15:30 Linux doesn't follow x86/x86-64 ABI wrt direction flag Aurelien Jarno
2008-03-05 16:00 ` H. Peter Anvin
2008-03-05 19:58 ` Joe Buck
2008-03-05 20:23 ` Aurelien Jarno
2008-03-05 20:38 ` Michael Matz
2008-03-05 20:42 ` Joe Buck
2008-03-05 20:49 ` Jan Hubicka
2008-03-05 21:02 ` Michael Matz
2008-03-05 21:20 ` RELEASE BLOCKER: " Joe Buck
2008-03-05 21:32 ` Richard Guenther
2008-03-05 21:34 ` H. Peter Anvin
2008-03-05 21:40 ` Richard Guenther
2008-03-05 22:16 ` David Miller
2008-03-05 22:37 ` Joe Buck
2008-03-05 22:51 ` Michael Matz
2008-03-05 22:58 ` H. Peter Anvin
2008-03-05 23:07 ` Michael Matz
2008-03-05 23:10 ` David Miller
2008-03-05 23:16 ` Joe Buck
2008-03-05 23:12 ` Olivier Galibert
2008-03-05 21:43 ` Joe Buck
2008-03-05 21:44 ` Richard Guenther
[not found] ` <738B72DB-A1D6-43F8-813A-E49688D05771@apple.com>
2008-03-05 21:59 ` Michael Matz
2008-03-05 22:13 ` Adrian Bunk
2008-03-05 22:21 ` David Miller
2008-03-05 23:13 ` Olivier Galibert
2008-03-06 0:36 ` Chris Lattner
2008-03-06 0:47 ` H. Peter Anvin
[not found] ` <578FCA7D-D7A6-44F6-9310-4A97C13CDCBE@apple.com>
2008-03-06 1:12 ` H. Peter Anvin
2008-03-06 9:17 ` Jakub Jelinek
2008-03-06 13:51 ` Olivier Galibert
2008-03-06 14:03 ` Paolo Bonzini
2008-03-06 14:12 ` Olivier Galibert
2008-03-06 14:15 ` Andrew Haley
2008-03-06 17:58 ` Joe Buck
2008-03-06 18:10 ` Olivier Galibert
2008-03-06 18:13 ` Paolo Bonzini
2008-03-06 18:31 ` Jack Lloyd
2008-03-06 18:35 ` Andrew Pinski
2008-03-06 19:44 ` Paolo Bonzini
2008-03-06 19:43 ` Paolo Bonzini
2008-03-06 20:16 ` Jack Lloyd [this message]
2008-03-06 21:37 ` Artur Skawina
2008-03-06 15:09 ` Robert Dewar
2008-03-06 15:37 ` NightStrike
2008-03-06 15:43 ` H.J. Lu
2008-03-06 15:50 ` H. Peter Anvin
2008-03-06 16:23 ` Jakub Jelinek
2008-03-06 16:27 ` İsmail Dönmez
2008-03-06 16:58 ` H.J. Lu
2008-03-06 17:06 ` H. Peter Anvin
2008-03-06 17:14 ` H.J. Lu
2008-03-06 17:17 ` H. Peter Anvin
2008-03-06 17:34 ` H.J. Lu
2008-03-06 19:35 ` Robert Dewar
2008-03-06 17:18 ` Robert Dewar
2008-03-06 17:19 ` H. Peter Anvin
2008-03-06 19:25 ` Robert Dewar
2008-03-06 20:37 ` H. Peter Anvin
2008-03-07 8:28 ` Florian Weimer
2008-03-07 8:00 ` Andreas Jaeger
2008-03-06 15:57 ` Robert Dewar
2008-03-06 16:29 ` Paolo Bonzini
2008-03-06 17:18 ` H. Peter Anvin
2008-03-06 16:14 ` Artur Skawina
2008-03-06 0:49 ` Aurelien Jarno
2008-03-05 22:05 ` H. Peter Anvin
2008-03-06 2:11 ` Krzysztof Halasa
2008-03-06 8:44 ` Andi Kleen
2008-03-06 9:01 ` Jakub Jelinek
2008-03-06 15:20 ` H. Peter Anvin
2008-03-05 21:45 ` Aurelien Jarno
2008-03-05 21:43 ` Andrew Pinski
2008-03-05 21:43 ` Michael Matz
2008-03-05 22:12 ` Joe Buck
2008-03-05 22:17 ` David Miller
2008-03-05 23:17 ` Olivier Galibert
2008-03-05 23:21 ` David Daney
2008-03-06 14:06 ` Olivier Galibert
2008-03-08 19:10 ` Alexandre Oliva
2008-03-05 21:07 ` H. Peter Anvin
2008-03-05 20:44 ` H. Peter Anvin
2008-03-05 20:52 ` Aurelien Jarno
2008-03-05 21:23 ` David Miller
2008-03-06 9:53 ` Andrew Haley
2008-03-06 11:45 ` Andi Kleen
2008-03-06 12:06 ` Richard Guenther
2008-03-06 17:34 ` Joe Buck
2008-03-06 20:54 ` Richard Guenther
2008-03-06 20:56 ` H. Peter Anvin
2008-03-06 22:06 ` Andi Kleen
2008-03-07 4:56 ` Chris Lattner
2008-03-07 14:09 ` Michael Matz
2008-03-06 9:45 ` Mikael Pettersson
2008-03-05 16:56 ` H.J. Lu
2008-03-05 18:14 ` [PATCH] x86: Clear DF before calling signal handler Aurelien Jarno
2008-03-05 18:17 ` H. Peter Anvin
2008-03-06 9:21 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080306201633.GM27983@randombit.net \
--to=lloyd@randombit.net \
--cc=gcc@gcc.gnu.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.