From: Ben Hutchings <ben@decadent.org.uk>
To: Pengfei Wang <wpengfeinudt@gmail.com>, Oleg Nesterov <oleg@redhat.com>
Cc: security@kernel.org, Richard Guy Briggs <rgb@redhat.com>,
"Krinke, Jens" <j.krinke@ucl.ac.uk>,
linux-audit@redhat.com
Subject: Re: Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
Date: Tue, 21 Jun 2016 10:51:11 +0100 [thread overview]
Message-ID: <1466502671.27155.185.camel@decadent.org.uk> (raw)
In-Reply-To: <480FAE99-E4E1-42D0-ABD5-8DC24A7EC9BB@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1962 bytes --]
On Tue, 2016-06-21 at 10:37 +0100, Pengfei Wang wrote:
> >
> > 在 2016年6月20日,下午8:18,Oleg Nesterov <oleg@redhat.com> 写道:
> >
> > Not that I understand this report, but
> >
> > On 06/20, Richard Guy Briggs wrote:
> > >
> > > This function is only ever called by __audit_free(), which is only ever
> > > called on failure of task creation or on exit of the task, so in neither
> > > case can anything else change it.
> >
> > How so?
> >
> > Another thread or CLONE_VM task or /proc/pid/mem can change the user-space
> > memory in parallel.
> >
> > Oleg.
>
>
> Exactly, by saying “change the data”, I mean the modification from
> malicious users with crafted operations on the user space memory
> directly, rather than the normal operations within the audit
> subsystem in Linux. Moreover, since the copy operations from the user
> space are not protected by any locks or synchronization primitives,
> changing the data under race condition is feasible I think. Besides,
> there isn’t any visible checking step in the code to guarantee the
> consistency between the two copy operations.
>
> Here I would like to figure out what the consequences really are once
> the data is changed between the two copy operations, such as changing
> a none-control string to a control string but process it as a none-
> control string that has no control chars. I think problems will
> happen.
So far as userland can see, kernel log lines are separated by newlines.
If we fail to escape a newline, that makes it possible to inject
arbitrary log lines into the kernel log, which may be misleading to the
administrator or to software parsing the log.
Ben.
--
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2016-06-21 9:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 13:50 Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c Pengfei Wang
2016-06-20 18:22 ` Richard Guy Briggs
2016-06-20 19:18 ` Oleg Nesterov
2016-06-21 9:37 ` Pengfei Wang
2016-06-21 9:51 ` Ben Hutchings [this message]
2016-06-21 18:14 ` Richard Guy Briggs
2016-06-21 18:20 ` Ben Hutchings
2016-06-21 19:18 ` Richard Guy Briggs
2016-06-21 19:59 ` Ben Hutchings
2016-06-21 20:31 ` Andy Lutomirski
2016-06-21 20:47 ` Richard Guy Briggs
2016-06-22 9:57 ` Pengfei Wang
2016-06-27 21:45 ` Paul Moore
2016-06-21 18:17 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1466502671.27155.185.camel@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=j.krinke@ucl.ac.uk \
--cc=linux-audit@redhat.com \
--cc=oleg@redhat.com \
--cc=rgb@redhat.com \
--cc=security@kernel.org \
--cc=wpengfeinudt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox