From: Pete Zaitcev <zaitcev@redhat.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: torvalds@osdl.org, vsu@altlinux.ru, laforge@gnumonks.org,
linux-usb-devel@lists.sourceforge.net, vendor-sec@lst.de,
linux-kernel@vger.kernel.org, greg@kroah.com,
security@linux.kernel.org, zaitcev@redhat.com
Subject: Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
Date: Thu, 13 Oct 2005 16:00:10 -0700 [thread overview]
Message-ID: <20051013160010.7cc532ae.zaitcev@redhat.com> (raw)
In-Reply-To: <1127840281.10674.5.camel@localhost.localdomain>
On Tue, 27 Sep 2005 17:58:00 +0100, Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
> On Maw, 2005-09-27 at 09:09 -0700, Linus Torvalds wrote:
> > > root-owned), then the urb completes, and kill_proc_info() sends the
> > > signal to the unsuspecting process.
> >
> > Ehh.. pid's don't get re-used until they wrap.
>
> Which doesn't take very long to arrange. Relying on pids is definitely a
> security problem we don't want to make worse than it already is.
The whole application cannot exit and leave URBs running behind,
because usbdevio_release() blocks until they are terminated.
Only separate threads can exit.
So, the only thing a malicious user can do is something like this:
- open /proc/bus/usb/BUS/DEV
- submit URB
- fork
- exit parent thread
- wait in the child until PIDs wrap very close to former parent
- exit and hope that someone forks while the exit is processing
Right? But if so, why don't we do something like this:
submit_urb()
as->pid = current->pid;
as->tgid = current->tgid;
.....
async_complete()
__kill_same_process(as->pid, as->tgid);
/* DO NOT USE IN DRIVERS (other than USB core) */
__kill_same_process(pid_t pid, pid_t tgid) {
task_struct *we, *maybe_parent;
lock(&tasklist_lock);
we = find_task_by_pid(pid);
maybe_parent = find_task_by_tgid(pid);
if (maybe_parent != NULL && we->parent == maybe_parent)
send_sig_info(sig, info, we);
unlock(&tasklist_lock);
}
This does not need to check any IDs, I think. Then we do not have to
ponder if effective or real is more appropriate, and if any sort of
new-fanged security thingies like capabilities apply.
-- Pete
next prev parent reply other threads:[~2005-10-13 23:00 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-25 15:13 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio Harald Welte
2005-09-27 8:04 ` [vendor-sec] " Greg KH
2005-09-27 9:13 ` Greg KH
[not found] ` <20050927110319.GD1980@piware.de>
2005-09-27 12:22 ` [vendor-sec] " Greg KH
2005-09-27 12:48 ` [vendor-sec] " Christoph Hellwig
2005-09-27 12:57 ` Greg KH
2005-09-27 12:59 ` Christoph Hellwig
2005-09-27 13:09 ` Greg KH
2005-09-27 15:27 ` David Brownell
2005-09-27 14:53 ` [Security] " Linus Torvalds
2005-09-27 16:00 ` [linux-usb-devel] " Sergey Vlasov
2005-09-27 16:09 ` Linus Torvalds
2005-09-27 16:52 ` Sergey Vlasov
2005-09-27 17:02 ` Linus Torvalds
2005-09-30 10:47 ` Harald Welte
2005-09-30 14:56 ` Linus Torvalds
2005-09-30 18:44 ` Chris Wright
2005-09-30 19:27 ` Linus Torvalds
2005-09-30 20:38 ` Chris Wright
2005-09-30 22:08 ` Harald Welte
2005-09-30 22:16 ` Linus Torvalds
2005-10-10 17:44 ` Harald Welte
2005-10-10 18:07 ` Chris Wright
2005-10-11 9:45 ` Harald Welte
2005-10-11 23:10 ` [vendor-sec] " Greg KH
2005-10-11 23:44 ` Linus Torvalds
2005-10-12 7:24 ` Harald Welte
2005-10-13 5:51 ` Horms
2005-10-11 13:57 ` Bernd Petrovitsch
2005-10-10 18:19 ` Linus Torvalds
2005-10-10 22:47 ` Chris Wright
2005-10-10 20:03 ` [linux-usb-devel] " Alan Stern
2005-10-11 8:28 ` Harald Welte
2005-10-11 17:37 ` Paul Jackson
2005-10-11 17:58 ` linux-os (Dick Johnson)
2005-10-11 19:13 ` Alan Stern
2005-10-11 20:02 ` [Security] " Alan Cox
2005-09-27 17:20 ` PID reuse safety for userspace apps (Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio) Solar Designer
2005-09-27 20:34 ` Alan Cox
2005-09-27 20:42 ` Linus Torvalds
2005-09-27 21:16 ` Solar Designer
2005-09-27 21:03 ` Solar Designer
2005-09-27 16:58 ` [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio Alan Cox
2005-09-27 16:59 ` Linus Torvalds
2005-09-27 20:35 ` Alan Cox
2005-10-13 23:00 ` Pete Zaitcev [this message]
2005-10-13 23:16 ` Linus Torvalds
2005-10-13 23:56 ` Pete Zaitcev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051013160010.7cc532ae.zaitcev@redhat.com \
--to=zaitcev@redhat.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=greg@kroah.com \
--cc=laforge@gnumonks.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
--cc=security@linux.kernel.org \
--cc=torvalds@osdl.org \
--cc=vendor-sec@lst.de \
--cc=vsu@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox