From: Jack Lloyd <lloyd@randombit.net>
To: gcc@gcc.gnu.org, linux-kernel@vger.kernel.org
Subject: Re: RELEASE BLOCKER: Linux doesn't follow x86/x86-64 ABI wrt direction flag
Date: Thu, 6 Mar 2008 15:16:33 -0500 [thread overview]
Message-ID: <20080306201633.GM27983@randombit.net> (raw)
In-Reply-To: <47D0495F.2090109@gnu.org>
On Thu, Mar 06, 2008 at 08:43:27PM +0100, Paolo Bonzini wrote:
> Jack Lloyd wrote:
> >On Thu, Mar 06, 2008 at 07:13:20PM +0100, Paolo Bonzini wrote:
> >>A process can send a signal via kill. IOW, a malicious process can
> >>*control when the process would be interrupted* in order to get it into
> >>the signal handler with DF=1.
> >
> >If the malicious process can send a signal to another process, it
> >could also ptrace() it. Which is more useful, if you wanted to be
> >malicious?
>
> 1) capabilities(7)
Ah you are right, I misinterpreted something from the man page
("non-root processes cannot trace processes that they cannot send
signals to") to mean something it did not (basically, that CAP_KILL
implied CAP_SYS_PTRACE, which from reading the kernel source is
clearly not the case...)
But still: so the threat here is of a malicious process with the
ability to send arbitrary signals to any process using CAP_KILL (since
in any other case when a process can send a signal, it can do much
more damage in other ways), which could leverage that into
(potentially) uid==0 using misexecuted code in a signal handler.
As a correctness issue, obviously this should be fixed/patched around,
if feasible. But as a security flaw? I'm not seeing much that is
compelling.
> 2) sometimes setuid programs send signals (e.g. SIGHUP or SIGUSR1)
I don't understand how this is a problem - unless these setuid
programs, while not malicious, can be tricked into signalling a
process they did not intend to. (In which case they already have a
major bug, df bit being cleared or not).
-Jack
next prev parent reply other threads:[~2008-03-06 20:16 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 15:30 Linux doesn't follow x86/x86-64 ABI wrt direction flag Aurelien Jarno
2008-03-05 16:00 ` H. Peter Anvin
2008-03-05 19:58 ` Joe Buck
2008-03-05 20:23 ` Aurelien Jarno
2008-03-05 20:38 ` Michael Matz
2008-03-05 20:42 ` Joe Buck
2008-03-05 20:49 ` Jan Hubicka
2008-03-05 21:02 ` Michael Matz
2008-03-05 21:20 ` RELEASE BLOCKER: " Joe Buck
2008-03-05 21:32 ` Richard Guenther
2008-03-05 21:34 ` H. Peter Anvin
2008-03-05 21:40 ` Richard Guenther
2008-03-05 22:16 ` David Miller
2008-03-05 22:37 ` Joe Buck
2008-03-05 22:51 ` Michael Matz
2008-03-05 22:58 ` H. Peter Anvin
2008-03-05 23:07 ` Michael Matz
2008-03-05 23:10 ` David Miller
2008-03-05 23:16 ` Joe Buck
2008-03-05 23:12 ` Olivier Galibert
2008-03-05 21:43 ` Joe Buck
2008-03-05 21:44 ` Richard Guenther
[not found] ` <738B72DB-A1D6-43F8-813A-E49688D05771@apple.com>
2008-03-05 21:59 ` Michael Matz
2008-03-05 22:13 ` Adrian Bunk
2008-03-05 22:21 ` David Miller
2008-03-05 23:13 ` Olivier Galibert
2008-03-06 0:36 ` Chris Lattner
2008-03-06 0:47 ` H. Peter Anvin
[not found] ` <578FCA7D-D7A6-44F6-9310-4A97C13CDCBE@apple.com>
2008-03-06 1:12 ` H. Peter Anvin
2008-03-06 9:17 ` Jakub Jelinek
2008-03-06 13:51 ` Olivier Galibert
2008-03-06 14:03 ` Paolo Bonzini
2008-03-06 14:12 ` Olivier Galibert
2008-03-06 14:15 ` Andrew Haley
2008-03-06 17:58 ` Joe Buck
2008-03-06 18:10 ` Olivier Galibert
2008-03-06 18:13 ` Paolo Bonzini
2008-03-06 18:31 ` Jack Lloyd
2008-03-06 18:35 ` Andrew Pinski
2008-03-06 19:44 ` Paolo Bonzini
2008-03-06 19:43 ` Paolo Bonzini
2008-03-06 20:16 ` Jack Lloyd [this message]
2008-03-06 21:37 ` Artur Skawina
2008-03-06 15:09 ` Robert Dewar
2008-03-06 15:37 ` NightStrike
2008-03-06 15:43 ` H.J. Lu
2008-03-06 15:50 ` H. Peter Anvin
2008-03-06 16:23 ` Jakub Jelinek
2008-03-06 16:27 ` İsmail Dönmez
2008-03-06 16:58 ` H.J. Lu
2008-03-06 17:06 ` H. Peter Anvin
2008-03-06 17:14 ` H.J. Lu
2008-03-06 17:17 ` H. Peter Anvin
2008-03-06 17:34 ` H.J. Lu
2008-03-06 19:35 ` Robert Dewar
2008-03-06 17:18 ` Robert Dewar
2008-03-06 17:19 ` H. Peter Anvin
2008-03-06 19:25 ` Robert Dewar
2008-03-06 20:37 ` H. Peter Anvin
2008-03-07 8:28 ` Florian Weimer
2008-03-07 8:00 ` Andreas Jaeger
2008-03-06 15:57 ` Robert Dewar
2008-03-06 16:29 ` Paolo Bonzini
2008-03-06 17:18 ` H. Peter Anvin
2008-03-06 16:14 ` Artur Skawina
2008-03-06 0:49 ` Aurelien Jarno
2008-03-05 22:05 ` H. Peter Anvin
2008-03-06 2:11 ` Krzysztof Halasa
2008-03-06 8:44 ` Andi Kleen
2008-03-06 9:01 ` Jakub Jelinek
2008-03-06 15:20 ` H. Peter Anvin
2008-03-05 21:45 ` Aurelien Jarno
2008-03-05 21:43 ` Andrew Pinski
2008-03-05 21:43 ` Michael Matz
2008-03-05 22:12 ` Joe Buck
2008-03-05 22:17 ` David Miller
2008-03-05 23:17 ` Olivier Galibert
2008-03-05 23:21 ` David Daney
2008-03-06 14:06 ` Olivier Galibert
2008-03-08 19:10 ` Alexandre Oliva
2008-03-05 21:07 ` H. Peter Anvin
2008-03-05 20:44 ` H. Peter Anvin
2008-03-05 20:52 ` Aurelien Jarno
2008-03-05 21:23 ` David Miller
2008-03-06 9:53 ` Andrew Haley
2008-03-06 11:45 ` Andi Kleen
2008-03-06 12:06 ` Richard Guenther
2008-03-06 17:34 ` Joe Buck
2008-03-06 20:54 ` Richard Guenther
2008-03-06 20:56 ` H. Peter Anvin
2008-03-06 22:06 ` Andi Kleen
2008-03-07 4:56 ` Chris Lattner
2008-03-07 14:09 ` Michael Matz
2008-03-06 9:45 ` Mikael Pettersson
2008-03-05 16:56 ` H.J. Lu
2008-03-05 18:14 ` [PATCH] x86: Clear DF before calling signal handler Aurelien Jarno
2008-03-05 18:17 ` H. Peter Anvin
2008-03-06 9:21 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080306201633.GM27983@randombit.net \
--to=lloyd@randombit.net \
--cc=gcc@gcc.gnu.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox