[kernel-hardening] Re: [PATCH 2/3] Make static usermode helper binaries constant

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: kernel-hardening@lists.openwall.com,
	linux-kernel@vger.kernel.org,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Thomas Sailer <t.sailer@alumni.ethz.ch>,
	"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
	Johan Hovold <johan@kernel.org>, Alex Elder <elder@kernel.org>,
	Jeff Layton <jlayton@poochiereds.net>,
	David Howells <dhowells@redhat.com>, NeilBrown <neilb@suse.com>
Subject: [kernel-hardening] Re: [PATCH 2/3] Make static usermode helper binaries constant
Date: Mon, 16 Jan 2017 16:25:55 -0500	[thread overview]
Message-ID: <20170116212555.GA5201@fieldses.org> (raw)
In-Reply-To: <20170116165031.GB29693@kroah.com>

On Mon, Jan 16, 2017 at 05:50:31PM +0100, Greg KH wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> There are a number of usermode helper binaries that are "hard coded" in
> the kernel today, so mark them as "const" to make it harder for someone
> to change where the variables point to.
> 
...
> --- a/drivers/pnp/pnpbios/core.c
> +++ b/drivers/pnp/pnpbios/core.c
> @@ -98,6 +98,7 @@ static struct completion unload_sem;
>   */
>  static int pnp_dock_event(int dock, struct pnp_docking_station_info *info)
>  {
> +	static char const sbin_pnpbios[] = "/sbin/pnpbios";
>  	char *argv[3], **envp, *buf, *scratch;
>  	int i = 0, value;
>  
> @@ -112,7 +113,7 @@ static int pnp_dock_event(int dock, struct pnp_docking_station_info *info)
>  	 * integrated into the driver core and use the usual infrastructure
>  	 * like sysfs and uevents
>  	 */
> -	argv[0] = "/sbin/pnpbios";
> +	argv[0] = (char *)sbin_pnpbios;

So here and elsewhere, can attackers write to argv[0] instead of to the
memory where the string lives?

Apologies if I'm rehashing earlier discussion, I did a quick search of
archives but could easily have missed something.

--b.

WARNING: multiple messages have this Message-ID (diff)

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: kernel-hardening@lists.openwall.com,
	linux-kernel@vger.kernel.org,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Thomas Sailer <t.sailer@alumni.ethz.ch>,
	"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
	Johan Hovold <johan@kernel.org>, Alex Elder <elder@kernel.org>,
	Jeff Layton <jlayton@poochiereds.net>,
	David Howells <dhowells@redhat.com>, NeilBrown <neilb@suse.com>
Subject: Re: [PATCH 2/3] Make static usermode helper binaries constant
Date: Mon, 16 Jan 2017 16:25:55 -0500	[thread overview]
Message-ID: <20170116212555.GA5201@fieldses.org> (raw)
In-Reply-To: <20170116165031.GB29693@kroah.com>

On Mon, Jan 16, 2017 at 05:50:31PM +0100, Greg KH wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> There are a number of usermode helper binaries that are "hard coded" in
> the kernel today, so mark them as "const" to make it harder for someone
> to change where the variables point to.
> 
...
> --- a/drivers/pnp/pnpbios/core.c
> +++ b/drivers/pnp/pnpbios/core.c
> @@ -98,6 +98,7 @@ static struct completion unload_sem;
>   */
>  static int pnp_dock_event(int dock, struct pnp_docking_station_info *info)
>  {
> +	static char const sbin_pnpbios[] = "/sbin/pnpbios";
>  	char *argv[3], **envp, *buf, *scratch;
>  	int i = 0, value;
>  
> @@ -112,7 +113,7 @@ static int pnp_dock_event(int dock, struct pnp_docking_station_info *info)
>  	 * integrated into the driver core and use the usual infrastructure
>  	 * like sysfs and uevents
>  	 */
> -	argv[0] = "/sbin/pnpbios";
> +	argv[0] = (char *)sbin_pnpbios;

So here and elsewhere, can attackers write to argv[0] instead of to the
memory where the string lives?

Apologies if I'm rehashing earlier discussion, I did a quick search of
archives but could easily have missed something.

--b.

next prev parent reply	other threads:[~2017-01-16 21:25 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-16 16:49 [kernel-hardening] [PATCH 0/4] make call_usermodehelper a bit more "safe" Greg KH
2017-01-16 16:49 ` Greg KH
2017-01-16 16:50 ` [kernel-hardening] [PATCH 1/3] kmod: make usermodehelper path a const string Greg KH
2017-01-16 16:50   ` Greg KH
2017-01-16 16:50 ` [kernel-hardening] [PATCH 2/3] Make static usermode helper binaries constant Greg KH
2017-01-16 16:50   ` Greg KH
2017-01-16 21:25   ` J. Bruce Fields [this message]
2017-01-16 21:25     ` J. Bruce Fields
2017-01-17  7:13     ` [kernel-hardening] " Greg KH
2017-01-17  7:13       ` Greg KH
2017-01-17 15:19       ` [kernel-hardening] " J. Bruce Fields
2017-01-17 15:19         ` J. Bruce Fields
2017-01-17 15:29         ` [kernel-hardening] " Greg KH
2017-01-17 15:29           ` Greg KH
2017-01-19 12:03           ` [kernel-hardening] " Greg KH
2017-01-19 16:27             ` J. Bruce Fields
2017-01-17 15:45   ` Jeff Layton
2017-01-17 15:45     ` Jeff Layton
2017-01-17 15:56     ` [kernel-hardening] " Greg KH
2017-01-17 15:56       ` Greg KH
2017-01-17 16:07       ` [kernel-hardening] " Jeff Layton
2017-01-17 16:07         ` Jeff Layton
2017-01-17 16:12         ` [kernel-hardening] " Greg KH
2017-01-17 16:12           ` Greg KH
2017-01-16 16:50 ` [kernel-hardening] [PATCH 3/3] Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper() Greg KH
2017-01-16 16:50   ` Greg KH
2017-01-17 16:20   ` [kernel-hardening] " Jeff Layton
2017-01-17 16:20     ` Jeff Layton
2017-01-17 16:26     ` [kernel-hardening] " Greg KH
2017-01-17 16:26       ` Greg KH
2017-01-17 16:52       ` [kernel-hardening] " Jeff Layton
2017-01-17 16:52         ` Jeff Layton
2017-01-16 16:51 ` [kernel-hardening] Re: [PATCH 0/4] make call_usermodehelper a bit more "safe" Greg KH
2017-01-16 16:51   ` Greg KH
2017-01-17 17:23 ` [kernel-hardening] " Kees Cook
2017-01-17 17:23   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170116212555.GA5201@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=benh@kernel.crashing.org \
    --cc=dhowells@redhat.com \
    --cc=elder@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jlayton@poochiereds.net \
    --cc=johan@kernel.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=neilb@suse.com \
    --cc=rafael.j.wysocki@intel.com \
    --cc=t.sailer@alumni.ethz.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.