From: Ryan Mallon <rmallon@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: George Spelvin <linux@horizon.com>,
joe@perches.com, akpm@linux-foundation.org,
dan.j.rosenberg@gmail.com, eldad@fogrefinery.com,
jgunthorpe@obsidianresearch.com, jkosina@suse.cz,
keescook@chromium.org, kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk,
rusty@rustcorp.com.au,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [kernel-hardening] Re: [PATCH v3a] vsprintf: Check real user/group id for %pK
Date: Mon, 14 Oct 2013 20:18:24 +1100 [thread overview]
Message-ID: <525BB6E0.9030600@gmail.com> (raw)
In-Reply-To: <87d2nba0yb.fsf@xmission.com>
On 12/10/13 09:37, Eric W. Biederman wrote:
> Ryan Mallon <rmallon@gmail.com> writes:
>
>> The only remaining problem is kernel/module.c:module_sect_show() which
>> is used to write the sysfs files in /sys/module/<modname>/sections/.
>> Those files are actually are really good target for leaking %pK values
>> via setuid binaries. The problem is that the module_sect_show() function
>> isn't passed information about who opened the sysfs file. I don't think
>> this information is available in general for sysfs files either. Also,
>> I can't actually see how module_sect_show() gets called?
>>
>> I'm a bit stuck on how to solve this. Any ideas?
>
> I haven't yet had a chance to review the patches but there are patches
> to make sysfs files seq files in Greg's driver core tree.
Hmm, I had a look at the driver-core tree, and although sysfs files
internally use the seq_file interface, the sysfs show/store handlers do
not get passed the struct seq_file, so doesn't appear possible to do the
checks there.
We could add a sysfs_ops->seq_show, but that feels clunky to have two
different interfaces for handling sysfs files. Converting the whole
tree to pass struct seq_file to the sysfs handlers would be painful :-/.
I assume the reason the /sys/module/<modname>/sections/* cannot be made
0400 is that some user-space tools are expecting those files to be
readable by unprivileged users?
~Ryan
WARNING: multiple messages have this Message-ID (diff)
From: Ryan Mallon <rmallon@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: George Spelvin <linux@horizon.com>,
joe@perches.com, akpm@linux-foundation.org,
dan.j.rosenberg@gmail.com, eldad@fogrefinery.com,
jgunthorpe@obsidianresearch.com, jkosina@suse.cz,
keescook@chromium.org, kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk,
rusty@rustcorp.com.au,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH v3a] vsprintf: Check real user/group id for %pK
Date: Mon, 14 Oct 2013 20:18:24 +1100 [thread overview]
Message-ID: <525BB6E0.9030600@gmail.com> (raw)
In-Reply-To: <87d2nba0yb.fsf@xmission.com>
On 12/10/13 09:37, Eric W. Biederman wrote:
> Ryan Mallon <rmallon@gmail.com> writes:
>
>> The only remaining problem is kernel/module.c:module_sect_show() which
>> is used to write the sysfs files in /sys/module/<modname>/sections/.
>> Those files are actually are really good target for leaking %pK values
>> via setuid binaries. The problem is that the module_sect_show() function
>> isn't passed information about who opened the sysfs file. I don't think
>> this information is available in general for sysfs files either. Also,
>> I can't actually see how module_sect_show() gets called?
>>
>> I'm a bit stuck on how to solve this. Any ideas?
>
> I haven't yet had a chance to review the patches but there are patches
> to make sysfs files seq files in Greg's driver core tree.
Hmm, I had a look at the driver-core tree, and although sysfs files
internally use the seq_file interface, the sysfs show/store handlers do
not get passed the struct seq_file, so doesn't appear possible to do the
checks there.
We could add a sysfs_ops->seq_show, but that feels clunky to have two
different interfaces for handling sysfs files. Converting the whole
tree to pass struct seq_file to the sysfs handlers would be painful :-/.
I assume the reason the /sys/module/<modname>/sections/* cannot be made
0400 is that some user-space tools are expecting those files to be
readable by unprivileged users?
~Ryan
next prev parent reply other threads:[~2013-10-14 9:18 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-09 21:52 [kernel-hardening] [PATCH v3] vsprintf: Check real user/group id for %pK Ryan Mallon
2013-10-09 21:52 ` Ryan Mallon
2013-10-09 22:00 ` [kernel-hardening] " Joe Perches
2013-10-09 22:00 ` Joe Perches
2013-10-09 22:04 ` [kernel-hardening] " Ryan Mallon
2013-10-09 22:04 ` Ryan Mallon
2013-10-09 22:14 ` [kernel-hardening] " Joe Perches
2013-10-09 22:14 ` Joe Perches
2013-10-09 22:25 ` [kernel-hardening] " Ryan Mallon
2013-10-09 22:25 ` Ryan Mallon
2013-10-09 22:33 ` [kernel-hardening] " Joe Perches
2013-10-09 22:33 ` Joe Perches
2013-10-09 22:42 ` [kernel-hardening] " Ryan Mallon
2013-10-09 22:42 ` Ryan Mallon
2013-10-09 23:09 ` [kernel-hardening] [PATCH v3a] " Joe Perches
2013-10-09 23:09 ` Joe Perches
2013-10-09 23:18 ` [kernel-hardening] " Ryan Mallon
2013-10-09 23:18 ` Ryan Mallon
2013-10-09 23:21 ` [kernel-hardening] " Joe Perches
2013-10-09 23:21 ` Joe Perches
2013-10-11 2:20 ` [kernel-hardening] " Eric W. Biederman
2013-10-11 2:20 ` Eric W. Biederman
2013-10-11 3:19 ` [kernel-hardening] " Ryan Mallon
2013-10-11 3:19 ` Ryan Mallon
2013-10-11 3:34 ` [kernel-hardening] " Eric W. Biederman
2013-10-11 3:34 ` Eric W. Biederman
2013-10-14 10:17 ` [kernel-hardening] " Djalal Harouni
2013-10-14 10:17 ` Djalal Harouni
2013-10-14 12:21 ` [kernel-hardening] " Djalal Harouni
2013-10-14 12:21 ` Djalal Harouni
2013-10-14 20:41 ` [kernel-hardening] " Ryan Mallon
2013-10-14 20:41 ` Ryan Mallon
2013-10-11 4:42 ` [kernel-hardening] " George Spelvin
2013-10-11 4:42 ` George Spelvin
2013-10-11 5:19 ` [kernel-hardening] " Ryan Mallon
2013-10-11 5:19 ` Ryan Mallon
2013-10-11 5:29 ` [kernel-hardening] " Joe Perches
2013-10-11 5:29 ` Joe Perches
2013-10-11 22:04 ` [kernel-hardening] " Ryan Mallon
2013-10-11 22:04 ` Ryan Mallon
2013-10-11 22:37 ` [kernel-hardening] " Eric W. Biederman
2013-10-11 22:37 ` Eric W. Biederman
2013-10-14 9:18 ` Ryan Mallon [this message]
2013-10-14 9:18 ` Ryan Mallon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525BB6E0.9030600@gmail.com \
--to=rmallon@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=dan.j.rosenberg@gmail.com \
--cc=ebiederm@xmission.com \
--cc=eldad@fogrefinery.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgunthorpe@obsidianresearch.com \
--cc=jkosina@suse.cz \
--cc=joe@perches.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=rusty@rustcorp.com.au \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.