Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: Pengfei Wang <wpengfeinudt@gmail.com>, Oleg Nesterov <oleg@redhat.com>
Cc: security@kernel.org, Richard Guy Briggs <rgb@redhat.com>,
	"Krinke, Jens" <j.krinke@ucl.ac.uk>,
	linux-audit@redhat.com
Subject: Re: Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
Date: Tue, 21 Jun 2016 10:51:11 +0100	[thread overview]
Message-ID: <1466502671.27155.185.camel@decadent.org.uk> (raw)
In-Reply-To: <480FAE99-E4E1-42D0-ABD5-8DC24A7EC9BB@gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 1962 bytes --]

On Tue, 2016-06-21 at 10:37 +0100, Pengfei Wang wrote:
> > 
> > 在 2016年6月20日,下午8:18,Oleg Nesterov <oleg@redhat.com> 写道:
> > 
> > Not that I understand this report, but
> > 
> > On 06/20, Richard Guy Briggs wrote:
> > > 
> > > This function is only ever called by __audit_free(), which is only ever
> > > called on failure of task creation or on exit of the task, so in neither
> > > case can anything else change it.
> > 
> > How so?
> > 
> > Another thread or CLONE_VM task or /proc/pid/mem can change the user-space
> > memory in parallel.
> > 
> > Oleg.
> 
> 
> Exactly, by saying “change the data”, I mean the modification from
> malicious users with crafted operations on the user space memory
> directly, rather than the normal operations within the audit
> subsystem in Linux. Moreover, since the copy operations from the user
> space are not protected by any locks or synchronization primitives,
> changing the data under race condition is feasible I think. Besides,
> there isn’t any visible checking step in the code to guarantee the
> consistency between the two copy operations.
> 
> Here I would like to figure out what the consequences really are once
> the data is changed between the two copy operations, such as changing
> a none-control string to a control string but process it as a none-
> control string that has no control chars. I think problems will
> happen.

So far as userland can see, kernel log lines are separated by newlines.
If we fail to escape a newline, that makes it possible to inject
arbitrary log lines into the kernel log, which may be misleading to the
administrator or to software parsing the log.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



  reply	other threads:[~2016-06-21  9:51 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-20 13:50 Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c Pengfei Wang
2016-06-20 18:22 ` Richard Guy Briggs
2016-06-20 19:18   ` Oleg Nesterov
2016-06-21  9:37     ` Pengfei Wang
2016-06-21  9:51       ` Ben Hutchings [this message]
2016-06-21 18:14         ` Richard Guy Briggs
2016-06-21 18:20           ` Ben Hutchings
2016-06-21 19:18             ` Richard Guy Briggs
2016-06-21 19:59               ` Ben Hutchings
2016-06-21 20:31                 ` Andy Lutomirski
2016-06-21 20:47                   ` Richard Guy Briggs
2016-06-22  9:57                     ` Pengfei Wang
2016-06-27 21:45                       ` Paul Moore
2016-06-21 18:17       ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1466502671.27155.185.camel@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=j.krinke@ucl.ac.uk \
    --cc=linux-audit@redhat.com \
    --cc=oleg@redhat.com \
    --cc=rgb@redhat.com \
    --cc=security@kernel.org \
    --cc=wpengfeinudt@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox