From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
Vegard Nossum <vegard.nossum@gmail.com>,
"Koyama, Yoshiya" <Yoshiya.Koyama@hp.com>,
"Rafael J. Wysocki" <rjw@sisk.pl>, Ingo Molnar <mingo@elte.hu>,
Pekka Enberg <penberg@cs.helsinki.fi>,
LKML <linux-kernel@vger.kernel.org>, Greg KH <greg@kroah.com>,
Kay Sievers <kay.sievers@vrfy.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: v2.6.28-rc1: readlink /proc/*/exe returns uninitialized data to userspace
Date: Tue, 4 Nov 2008 15:48:23 +0000 [thread overview]
Message-ID: <20081104154823.GI28946@ZenIV.linux.org.uk> (raw)
In-Reply-To: <m1hc6nbw2c.fsf@frodo.ebiederm.org>
On Tue, Nov 04, 2008 at 02:54:35AM -0800, Eric W. Biederman wrote:
> does a memcpy of the new name to the target name,
> but it doesn't do anything with the source name.
> Then later we swap the name lengths.
>
> So the length on the dentry no longer matches the data
> we put in the buffer.
Aye. BTW, here's yesterday IRC log, after eparis had pointed to
" (deleted)" in the ends of two more reproducers (auditd spew after
crond upgrade, FWIW - same issue with d_path()):
13:48 #sec-eng: < viro> eparis: it's switch_names()
13:49 #sec-eng: < viro> if both names are internal
13:49 #sec-eng: < viro> in that case we want to copy ->d_name.len instead of swapping those
13:50 #sec-eng: < viro> IOW, I understand what's going on; it's not too nasty, fortunately, but it needs fixing
13:51 #sec-eng: < viro> pathname ends on " (deleted)" and has sane path
13:51 #sec-eng: < viro> i.e. we have dentry->d_name.{name,len} responsible for everything in between
13:52 #sec-eng: < viro> and .len is more than it ought to be
13:52 #sec-eng: < viro> OTOH, it's still within the limit on name length, so it's embedded into struct dentry
13:53 #sec-eng: < viro> i.e. we had either unlink() doing something _very_ odd or rename() buggering the name/len for (unhashed) target
13:53 #sec-eng: < viro> rename() => d_move()
13:54 #sec-eng: < viro> then testing a bit with copying /bin/sh to /tmp/<different names>, starting those and doing mv(1) of one over another had happily reproduced it
13:55 #sec-eng: < viro> so that was d_move() with short-over-short and source name longer than target one
13:56 #sec-eng: < viro> since there are only two lines handling d_name there (
13:56 #sec-eng: < viro> /* Switch the names.. */
13:56 #sec-eng: < viro> switch_names(dentry, target);
13:56 #sec-eng: < viro> do_switch(dentry->d_name.len, target->d_name.len);
13:57 #sec-eng: < viro> and switch_names() is 4-way choice by "is the source name short enough"/"is the target name short enough"...
13:58 #sec-eng: < viro> IOW, after noticing that " (deleted)" it had been absolutely straightforward
13:58 #sec-eng: < viro> it's not junk in the end
13:59 #sec-eng: < viro> it's junk in the _middle_
> Certainly not a resource leak or any kind of deadlock.
> And the length is right. But it is an information leak.
>
> I suppose a clever person could figure out how to steal
> information that way.
Not much, but that certainly needs fixing, leak or not.
next prev parent reply other threads:[~2008-11-04 15:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-25 17:14 v2.6.28-rc1: readlink /proc/*/exe returns uninitialized data to userspace Vegard Nossum
2008-10-25 20:41 ` Rafael J. Wysocki
2008-10-25 22:28 ` Eric W. Biederman
2008-10-26 21:08 ` Vegard Nossum
2008-11-04 9:39 ` Vegard Nossum
2008-11-04 10:00 ` Alexey Dobriyan
2008-11-04 10:07 ` Alexey Dobriyan
2008-11-04 10:34 ` Alexey Dobriyan
2008-11-04 10:54 ` Eric W. Biederman
2008-11-04 15:48 ` Al Viro [this message]
2008-11-04 15:12 ` Al Viro
2008-11-06 10:04 ` Ingo Molnar
2008-11-07 19:05 ` Greg KH
2008-11-07 23:12 ` Alexey Dobriyan
2008-11-11 22:14 ` Andrew Morton
2008-11-11 22:53 ` Vegard Nossum
2008-12-03 17:18 ` Greg KH
2008-12-03 20:20 ` Andrew Morton
2008-12-07 5:44 ` Greg KH
2008-12-07 7:04 ` Al Viro
2008-10-26 0:23 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081104154823.GI28946@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=Yoshiya.Koyama@hp.com \
--cc=adobriyan@gmail.com \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=kay.sievers@vrfy.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=penberg@cs.helsinki.fi \
--cc=rjw@sisk.pl \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.