From: Bryan Donlan <bdonlan@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
linux-kernel@vger.kernel.org, Ulrich Drepper <drepper@redhat.com>,
linux-api@vger.kernel.org
Subject: Re: [resend][PATCH] Added PR_SET_PROCTITLE_AREA option for prctl()
Date: Fri, 9 Oct 2009 22:22:10 -0400 [thread overview]
Message-ID: <3e8340490910091922g7891b31al649e91f15ffae687@mail.gmail.com> (raw)
In-Reply-To: <20091009171344.3fc5f28b.akpm@linux-foundation.org>
On Fri, Oct 9, 2009 at 8:13 PM, Andrew Morton <akpm@linux-foundation.org> wrote:
>> + res = access_process_vm(task, mm->arg_start, buffer, len, 0);
>> +
>> + if (mm->arg_end != mm->env_start)
>> + /* PR_SET_PROCTITLE_AREA used */
>> res = strnlen(buffer, res);
>
> Hang on.
>
> If PR_SET_PROCTITLE_AREA installed a bad address then
> access_process_vm() will return -EFAULT and nothing was written to
> `buffer'?
>
> Also, concurrent PR_SET_PROCTITLE_AREA could cause arg_start and
> arg_end to have inconsistent/incoherent values. This might result in a
> fault but it also might result in a read of garbage userspace memory.
>
> I guess all of these issues could be written off as "userspace bugs",
> but our behaviour here isn't nice. We should at least return that
> -EFAULT!.
access_process_vm() does not return an error code - just the number of
bytes successfully transferred. If there's a fault, we just get 0 (or
some intermediate value) back (as discussed on lkml).
>> + res += access_process_vm(task, mm->env_start,
>> + buffer+res, len, 0);
>> + res = strnlen(buffer, res);
>> + }
>
> And if access_process_vm() returns a -ve errno here, the code simply
> flies off into the weeds.
This code was originally there - it's just been lifted into an if :)
and since access_process_vm will never return a negative errno, it's
not a problem.
Now, there might be a case for arguing that we should try harder to
get an error code (-EIO if we don't read the number of bytes we asked
for), but /proc/pid/cmdline never has before, and that would then make
this a visible change for consumers of /proc/pid/cmdline. Can ps
handle reading cmdline returning -EIO?
> seqlocks are nice but I have to wonder if they made this patch
> unnecessarily complex. Couldn't we just do:
>
> PR_SET_PROCTITLE_AREA:
>
> spin_lock(mm->lock);
> mm->arg_start = addr;
> mm->arg_end = addr + len;
> spin_unlock(mm->lock);
>
> and
>
> proc_pid_cmdline()
> {
> unsigned long addr;
> unsigned long end;
>
> spin_lock(mm->lock);
> addr = mm->arg_start;
> end = mm->arg_end;
> spin_unlock(mm->lock);
>
> <use `addr' and `len'>
> }
>
> ?
As discussed on the lkml thread, this opens up a nasty race:
Process A: calls PR_SET_PROCTITLE_AREA
Process B: read cmdline:
Process B: spin_lock
Process B: read mm->arg_*
Process B: unlock
Process A: mm->arg_* = ...
Process A: free(old_cmdline_area)
Process A: secret_password = malloc(...)
Process A: strcpy(secret_password, stuff);
Process B: access_process_vm
If secret_password == arg_start, then process B just read secret
information from process A's address space. Since process A has no
idea when or even if process B will complete its read, it has no way
of protecting itself from this, save from never reusing any memory
which has ever been assigned to a proctitle area.
The solution is to use the seqlock to detect this, and prevent the
secret information from ever making it back to process B's userspace.
Note that it's not enough to just recheck arg_start, as process A may
reassign the proctitle area back to its original position after having
it somewhere else for a while.
next prev parent reply other threads:[~2009-10-10 2:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-09 4:50 [resend][PATCH] Added PR_SET_PROCTITLE_AREA option for prctl() KOSAKI Motohiro
2009-10-10 0:13 ` Andrew Morton
2009-10-10 2:22 ` Bryan Donlan [this message]
[not found] ` <3e8340490910091922g7891b31al649e91f15ffae687-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-10 2:42 ` Andrew Morton
[not found] ` <20091009194250.eb76e338.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2009-10-10 2:57 ` Bryan Donlan
2009-10-10 6:32 ` KOSAKI Motohiro
[not found] ` <2f11576a0910092332s6e0e3dcs35864e3a2164be0-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-10 6:39 ` Andrew Morton
2009-10-12 19:03 ` KOSAKI Motohiro
[not found] ` <20091013022335.C741.A69D9226-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-10-12 19:22 ` Andrew Morton
[not found] ` <20091012122246.a941013b.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2009-10-13 0:03 ` KOSAKI Motohiro
2009-10-10 7:11 ` Bryan Donlan
[not found] ` <3e8340490910100011u17497293o613334c64f1543c8-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-12 19:03 ` KOSAKI Motohiro
[not found] ` <20091013031853.C744.A69D9226-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-10-12 19:33 ` Bryan Donlan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3e8340490910091922g7891b31al649e91f15ffae687@mail.gmail.com \
--to=bdonlan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=drepper@redhat.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).