From: Bryan Donlan <bdonlan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org,
kosaki.motohiro-+CUm20s59erQFUHtdCDX3A@public.gmane.org,
drepper-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
mingo-X9Un+BFzKDI@public.gmane.org,
tss-X3B1VOXEql0@public.gmane.org,
xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Subject: Re: [patch 050/160] prctl: add PR_SET_PROCTITLE_AREA option for prctl()
Date: Sun, 7 Mar 2010 15:24:30 -0500 [thread overview]
Message-ID: <3e8340491003071224o5ea1c01cl73132e7c2cc6046f@mail.gmail.com> (raw)
In-Reply-To: <20100307192826.GA18616-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Sun, Mar 7, 2010 at 14:28, Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> On 03/06, Linus Torvalds wrote:
>>
>> On Fri, 5 Mar 2010, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org wrote:
>> >
>> > This patch makes it possible for userspace to implement setproctitle()
>> > cleanly. It adds a new PR_SET_PROCTITLE_AREA option for prctl(), which
>> > updates task's mm_struct->arg_start and arg_end to the given area.
>>
>> This looks overly complicated. Why do you change the whole locking rules,
>> instead of protecting _only_ the "arg_start/arg_end" case?
>>
>> The thing is, there's no reason to hold the mmap_sem over the whole thing,
>> and I don't think this is important enough to be a valid reason for
>> exposing a whole new "locked" access variant, when a simple "protect just
>> the arg_start/end" would handle it.
>
> It was me who suggested to re-use mm->mmap_sem instead of adding the new
> lock, but looking at this patch again I do not understand the reason this
> lock should be held throughout in proc_pid_cmdline(). If there is no such
> a reason, then the new access_process_vm_locked (cough, also suggested by
> me ;) is not needed.
Consider:
Process A is reading /proc/pidB/cmdline. As it enters
proc_pid_cmdline, the compiler stashes mm->arg_end and mm->arg_start
in a register or something, and then the process is preempted.
Process B now changes the location of its cmdline buffer. After
changing it, it free()s the buffer. Then it malloc()s a buffer for
sensitive data. Unfortunately, this happens to be at the same address.
Eventually control returns to process A, which reads sensitive data
out of process B's address space using the stale values for arg_end
and arg_start. Process A did not have to be a privileged process or
the same uid to do this.
Note that B cannot defend against this, as it has no idea how long a
hypothetical process A may be preempted. If B is a high-priority or
real-time process, A may be preempted for a very long time indeed.
Alternately process A may be interrupted by a slow interrupt handler.
Since B cannot determine when it may be safe to re-use the buffer, the
conclusion is that without a lock of some sort in the kernel, B must
never re-use any memory used for its cmdline buffer, which is a very
undesirable result.
next prev parent reply other threads:[~2010-03-07 20:24 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-05 21:42 [patch 050/160] prctl: add PR_SET_PROCTITLE_AREA option for prctl() akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b
[not found] ` <201003052142.o25Lgbpg029522-AB4EexQrvXRQetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
2010-03-06 19:05 ` Linus Torvalds
[not found] ` <alpine.LFD.2.00.1003061100170.4530-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-03-07 19:28 ` Oleg Nesterov
[not found] ` <20100307192826.GA18616-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-03-07 20:24 ` Bryan Donlan [this message]
[not found] ` <3e8340491003071224o5ea1c01cl73132e7c2cc6046f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-03-08 12:56 ` Oleg Nesterov
2010-03-09 5:14 ` KOSAKI Motohiro
[not found] ` <20100306095705.GA26221@infradead.org>
[not found] ` <20100306095705.GA26221-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2010-03-09 4:44 ` KOSAKI Motohiro
[not found] ` <20100309134105.7CDB.A69D9226-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2010-03-09 5:21 ` Ulrich Drepper
[not found] ` <4B95DAF3.5050605-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-03-09 22:17 ` Oleg Nesterov
[not found] ` <20100309221704.GA1401-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-03-09 22:33 ` Ulrich Drepper
[not found] ` <4B96CCB8.9040507-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-03-10 1:42 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3e8340491003071224o5ea1c01cl73132e7c2cc6046f@mail.gmail.com \
--to=bdonlan-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=drepper-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org \
--cc=kosaki.motohiro-+CUm20s59erQFUHtdCDX3A@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mingo-X9Un+BFzKDI@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=tss-X3B1VOXEql0@public.gmane.org \
--cc=xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).