[kernel-hardening] Re: [PATCH] proc: do not allow negative offsets on /proc/<pid>/environ

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oleg Nesterov <oleg@redhat.com>
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com,
	Al Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Vasiliy Kulikov <segoon@openwall.com>,
	WANG Cong <xiyou.wangcong@gmail.com>,
	Solar Designer <solar@openwall.com>,
	Kees Cook <keescook@chromium.org>
Subject: [kernel-hardening] Re: [PATCH] proc: do not allow negative offsets on /proc/<pid>/environ
Date: Mon, 23 Jul 2012 17:49:27 +0200	[thread overview]
Message-ID: <20120723154927.GA17439@redhat.com> (raw)
In-Reply-To: <20120723010447.GA23410@dztty>

Hi Djalal,

On 07/23, Djalal Harouni wrote:
>
> Hi Oleg,
>
> On Sun, Jul 22, 2012 at 10:00:49PM +0200, Oleg Nesterov wrote:
> >
> > Probablt the patch makes sense, but I can't understand the changelog...
> >
> > > Allowing negative offsets on /proc/<pid>/environ can turn it to act like
> > > /proc/<pid>/mem. A negative offset will pass the
> > > fs/read_write.c:lseek_execute() and the environ_read() checks and will
> > > point to another VMA.
> >
> > which VMA?
> It depends on the offset. Please see below.
>
> > environ_read() can only read the memory from [env_start, env_end], and
> > it should check *ppos anyway to ensure it doesn't read something else.
> Yes I agree, but currently that's not the case, there are no checks on *ppos.
                                                  ^^^^^^^^^^^^^^^^^^^
There is, unless I missed something, just it is buggy, no?

> So if you pass a negative offset you will be able to read from an arbitrary
> address.
>
> [...snip...]
>
>   inside environ_read() there is only a one check:
>
>   int this_len = mm->env_end - (mm->env_start + src);
>
>   if (this_len <= 0)
>     break;
>
>
>   Here 'src' is 'src = *ppos' the negative offset converted to unsigned long
>   and (mm->env_start + src) can overflow and point to another VMA.
>
>   int this_len = mm->env_end - (mm->env_start + src)
>
>   'this_len' will be positive and we pass that check.

OK, thanks, but doesn't this mean that this check should be fixed
to avoid the overflow, no matter what *ppos is?

With or without FMODE_UNSIGNED_OFFSET change. And perhaps it is
possible to trigger the overflow even with the positive *ppos,
because:

> I also don't like the truncation of the result to 'int this_len'

Yes.

> BTW should I resend the patch with a better changelog entry ?

Up to you, but I think this makes sense ;)

> I'll also add another patch to check the offsets inside environ_read().

Yes, agreed, but please see above.

Please correct me, but afaics this patch should come 1st and fix the bug.
FMODE_UNSIGNED_OFFSET change can be considered as a cleanup after that.

What do you think?

Oleg.

WARNING: multiple messages have this Message-ID (diff)

From: Oleg Nesterov <oleg@redhat.com>
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com,
	Al Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Vasiliy Kulikov <segoon@openwall.com>,
	WANG Cong <xiyou.wangcong@gmail.com>,
	Solar Designer <solar@openwall.com>,
	Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] proc: do not allow negative offsets on /proc/<pid>/environ
Date: Mon, 23 Jul 2012 17:49:27 +0200	[thread overview]
Message-ID: <20120723154927.GA17439@redhat.com> (raw)
In-Reply-To: <20120723010447.GA23410@dztty>

Hi Djalal,

On 07/23, Djalal Harouni wrote:
>
> Hi Oleg,
>
> On Sun, Jul 22, 2012 at 10:00:49PM +0200, Oleg Nesterov wrote:
> >
> > Probablt the patch makes sense, but I can't understand the changelog...
> >
> > > Allowing negative offsets on /proc/<pid>/environ can turn it to act like
> > > /proc/<pid>/mem. A negative offset will pass the
> > > fs/read_write.c:lseek_execute() and the environ_read() checks and will
> > > point to another VMA.
> >
> > which VMA?
> It depends on the offset. Please see below.
>
> > environ_read() can only read the memory from [env_start, env_end], and
> > it should check *ppos anyway to ensure it doesn't read something else.
> Yes I agree, but currently that's not the case, there are no checks on *ppos.
                                                  ^^^^^^^^^^^^^^^^^^^
There is, unless I missed something, just it is buggy, no?

> So if you pass a negative offset you will be able to read from an arbitrary
> address.
>
> [...snip...]
>
>   inside environ_read() there is only a one check:
>
>   int this_len = mm->env_end - (mm->env_start + src);
>
>   if (this_len <= 0)
>     break;
>
>
>   Here 'src' is 'src = *ppos' the negative offset converted to unsigned long
>   and (mm->env_start + src) can overflow and point to another VMA.
>
>   int this_len = mm->env_end - (mm->env_start + src)
>
>   'this_len' will be positive and we pass that check.

OK, thanks, but doesn't this mean that this check should be fixed
to avoid the overflow, no matter what *ppos is?

With or without FMODE_UNSIGNED_OFFSET change. And perhaps it is
possible to trigger the overflow even with the positive *ppos,
because:

> I also don't like the truncation of the result to 'int this_len'

Yes.

> BTW should I resend the patch with a better changelog entry ?

Up to you, but I think this makes sense ;)

> I'll also add another patch to check the offsets inside environ_read().

Yes, agreed, but please see above.

Please correct me, but afaics this patch should come 1st and fix the bug.
FMODE_UNSIGNED_OFFSET change can be considered as a cleanup after that.

What do you think?

Oleg.

next prev parent reply	other threads:[~2012-07-23 15:49 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-22 16:35 [kernel-hardening] [PATCH] proc: do not allow negative offsets on /proc/<pid>/environ Djalal Harouni
2012-07-22 16:35 ` Djalal Harouni
2012-07-22 20:00 ` [kernel-hardening] " Oleg Nesterov
2012-07-22 20:00   ` Oleg Nesterov
2012-07-23  1:04   ` [kernel-hardening] " Djalal Harouni
2012-07-23  1:04     ` Djalal Harouni
2012-07-23 15:49     ` Oleg Nesterov [this message]
2012-07-23 15:49       ` Oleg Nesterov
2012-07-23 16:44       ` [kernel-hardening] " Djalal Harouni
2012-07-23 16:44         ` Djalal Harouni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120723154927.GA17439@redhat.com \
    --to=oleg@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=segoon@openwall.com \
    --cc=solar@openwall.com \
    --cc=tixxdz@opendz.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.