From: Frederik Deweerdt <deweerdt@free.fr>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Amnon Shiloh <amnons@cs.huji.ac.il>,
linux-kernel@vger.kernel.org, akpm@osdl.org, gregkh@suse.de
Subject: Re: [2.6.18 patch] fix mem_write return value (was: Re: bug report: mem_write)
Date: Thu, 24 Aug 2006 22:07:47 +0000 [thread overview]
Message-ID: <20060824220747.GA3197@slug> (raw)
In-Reply-To: <m17j0ym6un.fsf@ebiederm.dsl.xmission.com>
On Thu, Aug 24, 2006 at 10:33:20AM -0600, Eric W. Biederman wrote:
> Frederik Deweerdt <deweerdt@free.fr> writes:
>
> > On Thu, Aug 24, 2006 at 11:25:37AM +0300, Amnon Shiloh wrote:
> >> Hi,
> >>
> >> Alright, I know that "mem_write" (fs/proc/base.c) is a "security hazard",
> >> but I need to use it anyway (as super-user only), and find it broken,
> >> somewhere between Linux-2.6.17 and Linux-2.6.18-rc4.
> >>
> >> The point is that in the beginning of the routine, "copied" is set to 0,
> >> but it is no good because in lines 805 and 812 it is set to other values.
> >> Finally, the routine returns as if it copied 12 (=ENOMEM) bytes less than
> >> it actually did.
> > True, it looks like the faulty commit is:
> > de7587343bfebc186995ad294e3de0da382eb9bc
>
> Actually it was: 99f895518368252ba862cc15ce4eb98ebbe1bec6
> Which is what you url points to, odd.
>
> > http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=99f895518368252ba862cc15ce4eb98ebbe1bec6;hp=8578cea7509cbdec25b31d08b48a92fcc3b1a9e3
> >
> > The attached patch should fix it. Maybe that should go to 2.6.18.
> > Thanks for the bug report,
>
> The patch looks correct. Although this won't cause anyone problems as the code
> is disabled.
Right, I missed this, so this is really not urgent.
>
> Signed-off-by: Eric Biederman <ebiederm@xmission.com>
>
> As for enabling this. I believe we need an extra permission check just before
> we copy the data from our temporary buffer to the target task, to ensure
> nothing has changed. The history does not really capture why this code
> was disabled, but before this gets enabled I would like to understand more
> than just the comment. I believe with a little care this can be safely enabled
> as it doesn't let you do anything ptrace wouldn't do, and it should let you do
> it anytime except when ptrace would allow it. Thus not introducing any new
> security holes.
I've found two interesting links on that:
http://lkml.org/lkml/2006/3/10/224
and
http://www.google.com/search?q=cache:4y8MWSuHOpIJ:files.security-protocols.com/kernelhacking/procpidmem.pdf&hl=en&ct=clnk&cd=3&client=firefox-a
The second one in particular goes in great detail on why the author
thinks this is dangerous, and what could be done to re-enable it.
Regards,
Frederik
next prev parent reply other threads:[~2006-08-24 20:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-24 8:25 bug report: mem_write Amnon Shiloh
2006-08-24 10:35 ` Gerard J Snitselaar
2006-08-24 14:00 ` [2.6.18 patch] fix mem_write return value (was: Re: bug report: mem_write) Frederik Deweerdt
2006-08-24 16:33 ` Eric W. Biederman
2006-08-24 22:07 ` Frederik Deweerdt [this message]
2006-08-25 1:05 ` Amnon Shiloh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060824220747.GA3197@slug \
--to=deweerdt@free.fr \
--cc=akpm@osdl.org \
--cc=amnons@cs.huji.ac.il \
--cc=ebiederm@xmission.com \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox