From: Vasiliy Kulikov <segoon@openwall.com>
To: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
containers@lists.osdl.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Nathan Lynch <ntl@pobox.com>,
kernel-hardening@lists.openwall.com,
Oren Laadan <orenl@cs.columbia.edu>,
Daniel Lezcano <dlezcano@fr.ibm.com>,
Glauber Costa <glommer@parallels.com>,
James Bottomley <jbottomley@parallels.com>,
Tejun Heo <tj@kernel.org>, Alexey Dobriyan <adobriyan@gmail.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Pavel Emelyanov <xemul@parallels.com>
Subject: Re: [patch 2/2] fs, proc: Introduce the /proc/<pid>/map_files/ directory v6
Date: Tue, 6 Sep 2011 14:15:18 +0400 [thread overview]
Message-ID: <20110906101518.GA4799@albatros> (raw)
In-Reply-To: <20110905203627.GL761@sun>
On Tue, Sep 06, 2011 at 00:36 +0400, Cyrill Gorcunov wrote:
> > But I still see one very nasty issue - one may trigger this ptrace check,
> > trigger d_drop() and then look at /proc/slabinfo at "dentry" row. If
> > the number has changed, then the interested dentry existed before the
> > revalidate call. This infoleak is tricky to fix without any race.
> >
> > Probably it's time to close /proc/slabinfo infoleak?
> >
>
> Actually I miss to see how exactly this infoleak can be used by attacker
> or whoever. So, Vasiliy, what the security issue there?
The security model of procfs is: /proc/PID/fd/ is available to users
that may ptrace PID only. Particularly, the number of opened file
descriptors is a private information. If other task that may not ptrace
PID is able to get this information, this is an issue. Keeping opened
file descriptor of /proc/PID/fd/ and exec'ing some setxid binary as PID
might lead to the infoleak. It can be used in certain rare cases when
the knowledge of whether specific fd is opened/closed gains some
important information, e.g. whether some security check has
failed/succeeded (which is indirectly signaled by the kept fd). As for
map_files/ it may reveal ASLR offsets (but only some bits, not all of
them, I guess).
Without dropping denries it can be identified by calling stat() or
link() against dentries existing in the cache. In more details:
1) an attacker has a task with pid=PID with many opened fds.
2) Other task (PID2) opens /proc/PID/fd/ and fills the dentry cache.
Now dcache contains procfs entries for file descriptors of PID.
3) PID execve's setxid binary. (From this point PID2 should not get
_any_ information about /proc/PID/fd/, but this rule is violated in (4).)
4) PID2 does something to learn whether any fd of PID is opened/closed.
a) before "proc: fix races against execve() of /proc/PID/fd**" patch
PID2 could simply do getdents() against kept file descriptor of
/proc/PID/fd and get the list of opened fds.
b) Without dentry dropping on each access PID2 could use link(2) to
read /proc/PID/fd/* dentries from dcache. As they are in the
dcache since (2), ptrace check from ->lookup() is not applied.
c) If dentry is lazily dropped on each access attempt (or each illegal
access) then PID2 can:
i) read dentry line of /proc/slabinfo
ii) call link(2) against /proc/PID/fd, which invalidates the
specific dentry
iii) re-read dentry line of /proc/slabinfo. If it has decreased by
one, the dentry existed before (ii).
Is it possible to either allocate already dropped dentry or to force
->lookup() without invalidating dentry? The latter would potentially
pollute the dchache, though.
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-09-06 10:15 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-31 7:58 [patch 0/2] Introduce /proc/pid/map_files v6 Cyrill Gorcunov
2011-08-31 7:58 ` [patch 1/2] fs, proc: Make proc_get_link to use dentry instead of inode Cyrill Gorcunov
2011-08-31 7:58 ` [patch 2/2] fs, proc: Introduce the /proc/<pid>/map_files/ directory v6 Cyrill Gorcunov
2011-08-31 9:06 ` Vasiliy Kulikov
2011-08-31 10:12 ` Cyrill Gorcunov
2011-08-31 11:26 ` Cyrill Gorcunov
2011-08-31 14:04 ` Kirill A. Shutemov
2011-08-31 14:09 ` Cyrill Gorcunov
2011-08-31 14:26 ` Cyrill Gorcunov
2011-08-31 22:10 ` Andrew Morton
2011-09-01 3:07 ` Kyle Moffett
2011-09-01 7:58 ` Pavel Emelyanov
2011-09-01 11:50 ` Tejun Heo
2011-09-01 12:13 ` Pavel Emelyanov
2011-09-01 17:13 ` Tejun Heo
2011-09-02 19:15 ` Matt Helsley
2011-09-02 0:09 ` Matt Helsley
2011-09-01 8:05 ` Cyrill Gorcunov
2011-09-02 16:37 ` Vasiliy Kulikov
2011-09-05 18:53 ` Vasiliy Kulikov
2011-09-05 19:20 ` Cyrill Gorcunov
2011-09-05 19:49 ` Vasiliy Kulikov
2011-09-05 20:36 ` Cyrill Gorcunov
2011-09-06 10:15 ` Vasiliy Kulikov [this message]
2011-09-06 16:51 ` Tejun Heo
2011-09-06 17:29 ` Vasiliy Kulikov
2011-09-06 17:33 ` Tejun Heo
2011-09-06 18:15 ` Cyrill Gorcunov
[not found] ` <20110906173341.GM18425-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2011-09-07 11:23 ` Vasiliy Kulikov
2011-09-07 21:53 ` Cyrill Gorcunov
2011-09-07 22:13 ` Andrew Morton
2011-09-07 22:42 ` Cyrill Gorcunov
2011-09-07 22:53 ` Andrew Morton
2011-09-08 5:48 ` Cyrill Gorcunov
2011-09-08 5:50 ` Cyrill Gorcunov
2011-09-08 6:04 ` Cyrill Gorcunov
2011-09-08 23:52 ` Andrew Morton
2011-09-09 0:24 ` Pavel Emelyanov
2011-09-09 5:48 ` Cyrill Gorcunov
2011-09-09 6:00 ` Andrew Morton
2011-09-09 6:22 ` Cyrill Gorcunov
2011-09-10 13:21 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-10 13:49 ` Cyrill Gorcunov
2011-09-01 10:46 ` Cyrill Gorcunov
2011-09-01 22:49 ` Andrew Morton
2011-09-01 23:04 ` Tejun Heo
2011-09-02 5:54 ` Cyrill Gorcunov
2011-09-02 5:53 ` Cyrill Gorcunov
2011-08-31 22:50 ` Andrew Morton
2011-09-02 1:54 ` Nicholas Miell
2011-09-02 1:58 ` Tejun Heo
2011-09-02 2:04 ` Nicholas Miell
2011-09-02 2:29 ` Tejun Heo
2011-09-02 8:07 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110906101518.GA4799@albatros \
--to=segoon@openwall.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.osdl.org \
--cc=dlezcano@fr.ibm.com \
--cc=glommer@parallels.com \
--cc=gorcunov@gmail.com \
--cc=jbottomley@parallels.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill@shutemov.name \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ntl@pobox.com \
--cc=orenl@cs.columbia.edu \
--cc=tj@kernel.org \
--cc=viro@ZenIV.linux.org.uk \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).