From: Vasiliy Kulikov <segoon@openwall.com>
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
containers@lists.osdl.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Nathan Lynch <ntl@pobox.com>,
kernel-hardening@lists.openwall.com,
Oren Laadan <orenl@cs.columbia.edu>,
Daniel Lezcano <dlezcano@fr.ibm.com>,
Glauber Costa <glommer@parallels.com>,
James Bottomley <jbottomley@parallels.com>,
Tejun Heo <tj@kernel.org>, Alexey Dobriyan <adobriyan@gmail.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Pavel Emelyanov <xemul@parallels.com>
Subject: Re: [patch 2/2] fs, proc: Introduce the /proc/<pid>/map_files/ directory v6
Date: Tue, 6 Sep 2011 14:15:18 +0400 [thread overview]
Message-ID: <20110906101518.GA4799@albatros> (raw)
In-Reply-To: <20110905203627.GL761@sun>
On Tue, Sep 06, 2011 at 00:36 +0400, Cyrill Gorcunov wrote:
> > But I still see one very nasty issue - one may trigger this ptrace check,
> > trigger d_drop() and then look at /proc/slabinfo at "dentry" row. If
> > the number has changed, then the interested dentry existed before the
> > revalidate call. This infoleak is tricky to fix without any race.
> >
> > Probably it's time to close /proc/slabinfo infoleak?
> >
>
> Actually I miss to see how exactly this infoleak can be used by attacker
> or whoever. So, Vasiliy, what the security issue there?
The security model of procfs is: /proc/PID/fd/ is available to users
that may ptrace PID only. Particularly, the number of opened file
descriptors is a private information. If other task that may not ptrace
PID is able to get this information, this is an issue. Keeping opened
file descriptor of /proc/PID/fd/ and exec'ing some setxid binary as PID
might lead to the infoleak. It can be used in certain rare cases when
the knowledge of whether specific fd is opened/closed gains some
important information, e.g. whether some security check has
failed/succeeded (which is indirectly signaled by the kept fd). As for
map_files/ it may reveal ASLR offsets (but only some bits, not all of
them, I guess).
Without dropping denries it can be identified by calling stat() or
link() against dentries existing in the cache. In more details:
1) an attacker has a task with pid=PID with many opened fds.
2) Other task (PID2) opens /proc/PID/fd/ and fills the dentry cache.
Now dcache contains procfs entries for file descriptors of PID.
3) PID execve's setxid binary. (From this point PID2 should not get
_any_ information about /proc/PID/fd/, but this rule is violated in (4).)
4) PID2 does something to learn whether any fd of PID is opened/closed.
a) before "proc: fix races against execve() of /proc/PID/fd**" patch
PID2 could simply do getdents() against kept file descriptor of
/proc/PID/fd and get the list of opened fds.
b) Without dentry dropping on each access PID2 could use link(2) to
read /proc/PID/fd/* dentries from dcache. As they are in the
dcache since (2), ptrace check from ->lookup() is not applied.
c) If dentry is lazily dropped on each access attempt (or each illegal
access) then PID2 can:
i) read dentry line of /proc/slabinfo
ii) call link(2) against /proc/PID/fd, which invalidates the
specific dentry
iii) re-read dentry line of /proc/slabinfo. If it has decreased by
one, the dentry existed before (ii).
Is it possible to either allocate already dropped dentry or to force
->lookup() without invalidating dentry? The latter would potentially
pollute the dchache, though.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segoon@openwall.com>
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
containers@lists.osdl.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Nathan Lynch <ntl@pobox.com>,
kernel-hardening@lists.openwall.com,
Oren Laadan <orenl@cs.columbia.edu>,
Daniel Lezcano <dlezcano@fr.ibm.com>,
Glauber Costa <glommer@parallels.com>,
James Bottomley <jbottomley@parallels.com>,
Tejun Heo <tj@kernel.org>, Alexey Dobriyan <adobriyan@gmail.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Pavel Emelyanov <xemul@parallels.com>
Subject: [kernel-hardening] Re: [patch 2/2] fs, proc: Introduce the /proc/<pid>/map_files/ directory v6
Date: Tue, 6 Sep 2011 14:15:18 +0400 [thread overview]
Message-ID: <20110906101518.GA4799@albatros> (raw)
In-Reply-To: <20110905203627.GL761@sun>
On Tue, Sep 06, 2011 at 00:36 +0400, Cyrill Gorcunov wrote:
> > But I still see one very nasty issue - one may trigger this ptrace check,
> > trigger d_drop() and then look at /proc/slabinfo at "dentry" row. If
> > the number has changed, then the interested dentry existed before the
> > revalidate call. This infoleak is tricky to fix without any race.
> >
> > Probably it's time to close /proc/slabinfo infoleak?
> >
>
> Actually I miss to see how exactly this infoleak can be used by attacker
> or whoever. So, Vasiliy, what the security issue there?
The security model of procfs is: /proc/PID/fd/ is available to users
that may ptrace PID only. Particularly, the number of opened file
descriptors is a private information. If other task that may not ptrace
PID is able to get this information, this is an issue. Keeping opened
file descriptor of /proc/PID/fd/ and exec'ing some setxid binary as PID
might lead to the infoleak. It can be used in certain rare cases when
the knowledge of whether specific fd is opened/closed gains some
important information, e.g. whether some security check has
failed/succeeded (which is indirectly signaled by the kept fd). As for
map_files/ it may reveal ASLR offsets (but only some bits, not all of
them, I guess).
Without dropping denries it can be identified by calling stat() or
link() against dentries existing in the cache. In more details:
1) an attacker has a task with pid=PID with many opened fds.
2) Other task (PID2) opens /proc/PID/fd/ and fills the dentry cache.
Now dcache contains procfs entries for file descriptors of PID.
3) PID execve's setxid binary. (From this point PID2 should not get
_any_ information about /proc/PID/fd/, but this rule is violated in (4).)
4) PID2 does something to learn whether any fd of PID is opened/closed.
a) before "proc: fix races against execve() of /proc/PID/fd**" patch
PID2 could simply do getdents() against kept file descriptor of
/proc/PID/fd and get the list of opened fds.
b) Without dentry dropping on each access PID2 could use link(2) to
read /proc/PID/fd/* dentries from dcache. As they are in the
dcache since (2), ptrace check from ->lookup() is not applied.
c) If dentry is lazily dropped on each access attempt (or each illegal
access) then PID2 can:
i) read dentry line of /proc/slabinfo
ii) call link(2) against /proc/PID/fd, which invalidates the
specific dentry
iii) re-read dentry line of /proc/slabinfo. If it has decreased by
one, the dentry existed before (ii).
Is it possible to either allocate already dropped dentry or to force
->lookup() without invalidating dentry? The latter would potentially
pollute the dchache, though.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-09-06 10:15 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-31 7:58 [patch 0/2] Introduce /proc/pid/map_files v6 Cyrill Gorcunov
2011-08-31 7:58 ` [patch 1/2] fs, proc: Make proc_get_link to use dentry instead of inode Cyrill Gorcunov
2011-08-31 7:58 ` [patch 2/2] fs, proc: Introduce the /proc/<pid>/map_files/ directory v6 Cyrill Gorcunov
2011-08-31 9:06 ` Vasiliy Kulikov
2011-08-31 10:12 ` Cyrill Gorcunov
2011-08-31 11:26 ` Cyrill Gorcunov
2011-08-31 14:04 ` Kirill A. Shutemov
2011-08-31 14:09 ` Cyrill Gorcunov
2011-08-31 14:26 ` Cyrill Gorcunov
2011-08-31 22:10 ` Andrew Morton
2011-09-01 3:07 ` Kyle Moffett
2011-09-01 3:07 ` Kyle Moffett
2011-09-01 7:58 ` Pavel Emelyanov
2011-09-01 11:50 ` Tejun Heo
2011-09-01 12:13 ` Pavel Emelyanov
2011-09-01 17:13 ` Tejun Heo
2011-09-02 19:15 ` Matt Helsley
2011-09-02 0:09 ` Matt Helsley
2011-09-01 8:05 ` Cyrill Gorcunov
2011-09-02 16:37 ` Vasiliy Kulikov
2011-09-02 16:37 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-05 18:53 ` Vasiliy Kulikov
2011-09-05 18:53 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-05 19:20 ` Cyrill Gorcunov
2011-09-05 19:20 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-05 19:49 ` Vasiliy Kulikov
2011-09-05 19:49 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-05 20:36 ` Cyrill Gorcunov
2011-09-05 20:36 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-06 10:15 ` Vasiliy Kulikov [this message]
2011-09-06 10:15 ` Vasiliy Kulikov
2011-09-06 16:51 ` Tejun Heo
2011-09-06 16:51 ` [kernel-hardening] " Tejun Heo
2011-09-06 17:29 ` Vasiliy Kulikov
2011-09-06 17:29 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-06 17:33 ` Tejun Heo
2011-09-06 17:33 ` [kernel-hardening] " Tejun Heo
2011-09-06 18:15 ` Cyrill Gorcunov
2011-09-06 18:15 ` [kernel-hardening] " Cyrill Gorcunov
[not found] ` <20110906173341.GM18425-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2011-09-07 11:23 ` Vasiliy Kulikov
2011-09-07 11:23 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-07 21:53 ` Cyrill Gorcunov
2011-09-07 21:53 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-07 22:13 ` Andrew Morton
2011-09-07 22:13 ` Andrew Morton
2011-09-07 22:13 ` [kernel-hardening] " Andrew Morton
2011-09-07 22:42 ` Cyrill Gorcunov
2011-09-07 22:42 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-07 22:53 ` Andrew Morton
2011-09-07 22:53 ` Andrew Morton
2011-09-07 22:53 ` [kernel-hardening] " Andrew Morton
2011-09-08 5:48 ` Cyrill Gorcunov
2011-09-08 5:48 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-08 5:50 ` Cyrill Gorcunov
2011-09-08 5:50 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-08 6:04 ` Cyrill Gorcunov
2011-09-08 6:04 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-08 23:52 ` Andrew Morton
2011-09-08 23:52 ` Andrew Morton
2011-09-08 23:52 ` [kernel-hardening] " Andrew Morton
2011-09-09 0:24 ` Pavel Emelyanov
2011-09-09 0:24 ` [kernel-hardening] " Pavel Emelyanov
2011-09-09 5:48 ` Cyrill Gorcunov
2011-09-09 5:48 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-09 6:00 ` Andrew Morton
2011-09-09 6:00 ` [kernel-hardening] " Andrew Morton
2011-09-09 6:22 ` Cyrill Gorcunov
2011-09-09 6:22 ` [kernel-hardening] " Cyrill Gorcunov
2011-09-10 13:21 ` Vasiliy Kulikov
2011-09-10 13:49 ` Cyrill Gorcunov
2011-09-01 10:46 ` Cyrill Gorcunov
2011-09-01 22:49 ` Andrew Morton
2011-09-01 23:04 ` Tejun Heo
2011-09-02 5:54 ` Cyrill Gorcunov
2011-09-02 5:53 ` Cyrill Gorcunov
2011-08-31 22:50 ` Andrew Morton
2011-09-02 1:54 ` Nicholas Miell
2011-09-02 1:58 ` Tejun Heo
2011-09-02 2:04 ` Nicholas Miell
2011-09-02 2:29 ` Tejun Heo
2011-09-02 8:07 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110906101518.GA4799@albatros \
--to=segoon@openwall.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.osdl.org \
--cc=dlezcano@fr.ibm.com \
--cc=glommer@parallels.com \
--cc=gorcunov@gmail.com \
--cc=jbottomley@parallels.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill@shutemov.name \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ntl@pobox.com \
--cc=orenl@cs.columbia.edu \
--cc=tj@kernel.org \
--cc=viro@ZenIV.linux.org.uk \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.