From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:54778 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754653AbcIRS3U (ORCPT ); Sun, 18 Sep 2016 14:29:20 -0400 Date: Sun, 18 Sep 2016 19:28:46 +0100 From: Ben Hutchings To: Jann Horn Cc: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Message-ID: <20160918182846.GR10601@decadent.org.uk> References: <1474211117-16674-1-git-send-email-jann@thejh.net> <1474211117-16674-5-git-send-email-jann@thejh.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="pqmPt9oPL4cuP/b5" Content-Disposition: inline In-Reply-To: <1474211117-16674-5-git-send-email-jann@thejh.net> Subject: Re: [PATCH 4/9] futex: don't leak robust_list pointer Sender: linux-fsdevel-owner@vger.kernel.org List-ID: --pqmPt9oPL4cuP/b5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 18, 2016 at 05:05:12PM +0200, Jann Horn wrote: > This prevents an attacker from determining the robust_list or > compat_robust_list userspace pointer of a process created by executing > a setuid binary. Such an attack could be performed by racing > get_robust_list() with a setuid execution. The impact of this issue is th= at > an attacker could theoretically bypass ASLR when attacking setuid binarie= s. >=20 > Signed-off-by: Jann Horn > --- > kernel/futex.c | 31 +++++++++++++++++++++---------- > kernel/futex_compat.c | 31 +++++++++++++++++++++---------- > 2 files changed, 42 insertions(+), 20 deletions(-) >=20 > diff --git a/kernel/futex.c b/kernel/futex.c > index 46cb3a3..002f056 100644 > --- a/kernel/futex.c > +++ b/kernel/futex.c > @@ -3007,31 +3007,42 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, > if (!futex_cmpxchg_enabled) > return -ENOSYS; > =20 > - rcu_read_lock(); > - > - ret =3D -ESRCH; > - if (!pid) > + if (!pid) { > p =3D current; > - else { > + get_task_struct(p); > + } else { > + rcu_read_lock(); > p =3D find_task_by_vpid(pid); > - if (!p) > - goto err_unlock; > + /* pin the task to permit dropping the RCU read lock before > + * acquiring the mutex > + */ > + get_task_struct(p); get_task_struct() requires a non-null pointer so you can't move the null check below it. Ben. > + rcu_read_unlock(); > } > + if (!p) > + return -ESRCH; [...] --=20 Ben Hutchings Reality is just a crutch for people who can't handle science fiction. --pqmPt9oPL4cuP/b5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBV97c3ee/yOyVhhEJAQr+chAAsAYfbgfJIPwFVA4f27YYywY8oDmFi/VK 8F5mpMTs7D4EgN7vbtAQYuchjIcTF0uqhuU9rYju8RdpojvFvCBp2uRIREDxx0oY QDYguhx8kutR7kvbtLhqKtjxUbgjQrBM4hRYoXCiDySFXhTeo++YGttdacKWP4SX j4LaEyPoDj39iGJZOp88In8F+QwU/1dAqZdlsl8w4JWi2jfF4lTuclK3rrE7u3BN dFqvpopsbkES0c2N7ZSXbDEWTOWZNycA+6LMVzXHNcrcuoXOp+x8naf3OWQThkH/ 0c8mMIfUOftmPpvNebqT8hg+tVZg52X9kdtOJCApMhXNNqOVijiyUHhchu6qKtos iyGZ6rZ17NPnvNuCO71G8rUjaHoLU5yyKxM171So/y8elfp8JHKOJwITttLd5ayn AbguPbBfsFe0rietIcWHIKfz89JI6yHETjZAbve73qATrd5BToLznnG4ZXwzbRWi 4j5XXWIeZGPLxmjXBw3gNAAskw3VIkbo7C4c+Kqqf+tOgDKkFmOVjFNaTbUk92gA vGdFRX54hCCTfFugoVo5z43I9L5P0R85NPmLac6eJCYMqcq75+Qijh0gieMZrF32 /YbCw1nRzsNXDBI2QV6Rcn29XQiEqOIbJe8V2iC5ijOEupwFNVOf1adfhBRD7o8a lBYMIIUoPiw= =69LP -----END PGP SIGNATURE----- --pqmPt9oPL4cuP/b5--