From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 Sender: linus971@gmail.com In-Reply-To: References: <1506816410-10230-1-git-send-email-me@tobin.cc> <1506816410-10230-5-git-send-email-me@tobin.cc> From: Linus Torvalds Date: Wed, 4 Oct 2017 12:23:02 -0700 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: Re: [kernel-hardening] [RFC V2 4/6] lib: vsprintf: default kptr_restrict to the maximum value To: Jann Horn Cc: Kees Cook , "Tobin C. Harding" , Greg KH , Petr Mladek , Joe Perches , Ian Campbell , Sergey Senozhatsky , "kernel-hardening@lists.openwall.com" , LKML , Catalin Marinas , Will Deacon , Steven Rostedt , William Roberts , Chris Fries , Dave Weinstein List-ID: On Wed, Oct 4, 2017 at 12:13 PM, Jann Horn wrote: > > Actually, /proc/kallsyms uses %pK, which hacks around this issue > by checking for `euid != uid` in addition to the capability check - so this > isn't exploitable through a typical setuid program. Fair enough, you'd have to be a pretty broken suid program to have set uid to euid before reading some untrusted file descriptor. I could still imagine happening (hey, the X server used to sendmsg file descriptors back and forth), but hopefully it's not really realistic. Linus