Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: security@kernel.org, Pengfei Wang <wpengfeinudt@gmail.com>,
	"Krinke, Jens" <j.krinke@ucl.ac.uk>,
	Oleg Nesterov <oleg@redhat.com>,
	linux-audit@redhat.com
Subject: Re: Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c
Date: Tue, 21 Jun 2016 19:20:33 +0100	[thread overview]
Message-ID: <1466533233.27155.193.camel@decadent.org.uk> (raw)
In-Reply-To: <20160621181431.GD25615@madcap2.tricolour.ca>


[-- Attachment #1.1: Type: text/plain, Size: 2652 bytes --]

On Tue, 2016-06-21 at 14:14 -0400, Richard Guy Briggs wrote:
> On 2016-06-21 10:51, Ben Hutchings wrote:
> > On Tue, 2016-06-21 at 10:37 +0100, Pengfei Wang wrote:
> > > > 
> > > > 在 2016年6月20日,下午8:18,Oleg Nesterov <oleg@redhat.com> 写道:
> > > > 
> > > > Not that I understand this report, but
> > > > 
> > > > On 06/20, Richard Guy Briggs wrote:
> > > > > 
> > > > > This function is only ever called by __audit_free(), which is only ever
> > > > > called on failure of task creation or on exit of the task, so in neither
> > > > > case can anything else change it.
> > > > 
> > > > How so?
> > > > 
> > > > Another thread or CLONE_VM task or /proc/pid/mem can change the user-space
> > > > memory in parallel.
> > > > 
> > > > Oleg.
> > > 
> > > 
> > > Exactly, by saying “change the data”, I mean the modification from
> > > malicious users with crafted operations on the user space memory
> > > directly, rather than the normal operations within the audit
> > > subsystem in Linux. Moreover, since the copy operations from the user
> > > space are not protected by any locks or synchronization primitives,
> > > changing the data under race condition is feasible I think. Besides,
> > > there isn’t any visible checking step in the code to guarantee the
> > > consistency between the two copy operations.
> > > 
> > > Here I would like to figure out what the consequences really are once
> > > the data is changed between the two copy operations, such as changing
> > > a none-control string to a control string but process it as a none-
> > > control string that has no control chars. I think problems will
> > > happen.
> > 
> > So far as userland can see, kernel log lines are separated by newlines.
> 
> Newlines are control characters that would be caught by that filter.
> That filter catches '"', < 0x21, > 0x7e.
> 
> > If we fail to escape a newline, that makes it possible to inject
> > arbitrary log lines into the kernel log, which may be misleading to the
> > administrator or to software parsing the log.
> 
> So, this is addressed, but I'm still trying to assess the danger of this
> repeated call to copy_from_user().

The problem is that newlines can be added to the strings by another
task between the first pass that checks for control characters and the
second pass that copies them to the log.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



  reply	other threads:[~2016-06-21 18:20 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-20 13:50 Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c Pengfei Wang
2016-06-20 18:22 ` Richard Guy Briggs
2016-06-20 19:18   ` Oleg Nesterov
2016-06-21  9:37     ` Pengfei Wang
2016-06-21  9:51       ` Ben Hutchings
2016-06-21 18:14         ` Richard Guy Briggs
2016-06-21 18:20           ` Ben Hutchings [this message]
2016-06-21 19:18             ` Richard Guy Briggs
2016-06-21 19:59               ` Ben Hutchings
2016-06-21 20:31                 ` Andy Lutomirski
2016-06-21 20:47                   ` Richard Guy Briggs
2016-06-22  9:57                     ` Pengfei Wang
2016-06-27 21:45                       ` Paul Moore
2016-06-21 18:17       ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1466533233.27155.193.camel@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=j.krinke@ucl.ac.uk \
    --cc=linux-audit@redhat.com \
    --cc=oleg@redhat.com \
    --cc=rgb@redhat.com \
    --cc=security@kernel.org \
    --cc=wpengfeinudt@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox