From: halfdog <me@halfdog.net>
To: Kees Cook <keescook@chromium.org>
Cc: P J P <ppandit@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] exec: do not leave bprm->interp on stack
Date: Tue, 13 Nov 2012 06:50:11 +0000 [thread overview]
Message-ID: <50A1EDA3.7000704@halfdog.net> (raw)
In-Reply-To: <CAGXu5j+ObQAPBruUGpM2Vu_Fr91dNwdmy=ryJ2bOmm18qJEWnQ@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kees Cook wrote:
> On Tue, Nov 6, 2012 at 12:10 AM, P J P <ppandit@redhat.com> wrote:
>>
>> Hello Kees, Al,
>>
>> +-- On Sat, 27 Oct 2012, Kees Cook wrote --+ | If we change
>> binfmt_script to not make a recursive call, then we still | need
>> to keep the interp change somewhere off the stack. I still think
>> | my patchset is the least bad. | | Al, do you have something
>> else in mind?
>>
>> Guys, are there any updates further?
>>
>> Al, what's your take on the *rare* extra call to request_module?
>
> Without any other feedback, I'd like to use my minimal allocation
> patch, since it fixes the problem and doesn't change any of the
> semantics of how/when loading happens.
As a first step, I think that we can go with the Keess'
(nice/small/simple) patch. On the long run, exec should be reworked. Not
only interp is modified, also credentials are set, e.g. when using
"ping" as interpreter. With intransparent error handling and
retry-logic, this might be a future local-root-exploit in the beginning
(I tried to, but did not manage yet).
Also a remark from Prasad Pandit did not make it to the list (or at
least I missed the replies).
> Yesterday, while testing Keess' patch I was reading through
> execve(2) manual which says: path name must be a valid executable
> which is NOT a script.
>
> $ man execve ... Interpreter scripts An interpreter script is a
> text file that has execute permission enabled and whose first line
> is of the form:
>
> #! interpreter [optional-arg]
>
> The interpreter must be a valid path name for an executable which
> is not itself a script.
Does someone know what POSIX says about that? I guess that interp
recursion might have some usecases: Script uses interp, but interp was
wrapped by admin or distribution folks into another script to fix
something, e.g. to pass an additional arg.
hd
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlCh7ZEACgkQxFmThv7tq+4X/QCeLN+0qUtP6Hhag1d4iwZ4PZbL
evEAn2iPQH9mJ0zTHMs3qOsaWLRs9UWW
=Ow3u
-----END PGP SIGNATURE-----
WARNING: multiple messages have this Message-ID (diff)
From: halfdog <me@halfdog.net>
To: Kees Cook <keescook@chromium.org>
Cc: P J P <ppandit@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] exec: do not leave bprm->interp on stack
Date: Tue, 13 Nov 2012 06:50:11 +0000 [thread overview]
Message-ID: <50A1EDA3.7000704@halfdog.net> (raw)
In-Reply-To: <CAGXu5j+ObQAPBruUGpM2Vu_Fr91dNwdmy=ryJ2bOmm18qJEWnQ@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kees Cook wrote:
> On Tue, Nov 6, 2012 at 12:10 AM, P J P <ppandit@redhat.com> wrote:
>>
>> Hello Kees, Al,
>>
>> +-- On Sat, 27 Oct 2012, Kees Cook wrote --+ | If we change
>> binfmt_script to not make a recursive call, then we still | need
>> to keep the interp change somewhere off the stack. I still think
>> | my patchset is the least bad. | | Al, do you have something
>> else in mind?
>>
>> Guys, are there any updates further?
>>
>> Al, what's your take on the *rare* extra call to request_module?
>
> Without any other feedback, I'd like to use my minimal allocation
> patch, since it fixes the problem and doesn't change any of the
> semantics of how/when loading happens.
As a first step, I think that we can go with the Keess'
(nice/small/simple) patch. On the long run, exec should be reworked. Not
only interp is modified, also credentials are set, e.g. when using
"ping" as interpreter. With intransparent error handling and
retry-logic, this might be a future local-root-exploit in the beginning
(I tried to, but did not manage yet).
Also a remark from Prasad Pandit did not make it to the list (or at
least I missed the replies).
> Yesterday, while testing Keess' patch I was reading through
> execve(2) manual which says: path name must be a valid executable
> which is NOT a script.
>
> $ man execve ... Interpreter scripts An interpreter script is a
> text file that has execute permission enabled and whose first line
> is of the form:
>
> #! interpreter [optional-arg]
>
> The interpreter must be a valid path name for an executable which
> is not itself a script.
Does someone know what POSIX says about that? I guess that interp
recursion might have some usecases: Script uses interp, but interp was
wrapped by admin or distribution folks into another script to fix
something, e.g. to pass an additional arg.
hd
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlCh7ZEACgkQxFmThv7tq+4X/QCeLN+0qUtP6Hhag1d4iwZ4PZbL
evEAn2iPQH9mJ0zTHMs3qOsaWLRs9UWW
=Ow3u
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2012-11-13 6:50 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-24 23:20 [PATCH] exec: do not leave bprm->interp on stack Kees Cook
2012-10-25 4:16 ` Al Viro
2012-10-25 6:21 ` Kees Cook
2012-10-25 11:46 ` P J P
2012-10-25 12:03 ` Tetsuo Handa
2012-10-25 12:57 ` P J P
2012-10-25 12:09 ` Al Viro
2012-10-25 12:38 ` Al Viro
2012-10-26 17:38 ` P J P
2012-10-26 18:36 ` Al Viro
2012-10-27 10:47 ` P J P
2012-10-27 17:05 ` Kees Cook
2012-10-27 20:16 ` P J P
2012-10-28 3:32 ` Kees Cook
2012-11-06 8:10 ` P J P
2012-11-12 22:10 ` Kees Cook
2012-11-13 6:50 ` halfdog [this message]
2012-11-13 6:50 ` halfdog
2012-11-16 12:50 ` P J P
2012-11-16 18:00 ` Kees Cook
2012-11-18 19:04 ` P J P
2012-11-18 19:34 ` Kees Cook
2012-11-19 6:57 ` P J P
2012-11-19 20:41 ` Kees Cook
2012-11-20 7:04 ` P J P
2012-11-22 14:17 ` P J P
2012-11-25 1:30 ` Kees Cook
2012-11-26 6:23 ` P J P
2012-11-26 7:09 ` P J P
2012-11-22 20:06 ` P J P
2012-11-23 18:43 ` P J P
2012-11-23 23:12 ` Tetsuo Handa
[not found] ` <CA+55aFx3LFH5Xj1OkNoy7vN5w8y5tH39MUDujKqF3BdnmYibLQ@mail.gmail.com>
2012-11-20 7:08 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A1EDA3.7000704@halfdog.net \
--to=me@halfdog.net \
--cc=akpm@linux-foundation.org \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ppandit@redhat.com \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.