Re: [PATCH] Enable writing to /proc/PID/mem.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Stephen Wilson <wilsons@start.ca>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Rientjes <rientjes@google.com>,
	Nick Piggin <npiggin@kernel.dk>,
	Roland McGrath <roland@redhat.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Enable writing to /proc/PID/mem.
Date: Thu, 3 Mar 2011 19:46:26 +0000	[thread overview]
Message-ID: <20110303194626.GN22723@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20110303193802.GA4994@fibrous.localdomain>

On Thu, Mar 03, 2011 at 02:38:02PM -0500, Stephen Wilson wrote:
> > I haven't found any problem in this patch. But, I really believe we need
> > to understand why it was marked "security hazard". Al, I guess you know it,
> > right? So, can you please talk us your mention?
> 
> I did a bit more digging trying to find why mem_write was marked a security
> hazard.
> 
> It goes back to 2.4.0-test10pre4.  Unfortunately, the changelog entry is
> not at all informative either:
> 
> 	- disable writing to /proc/xxx/mem. Sure, it works now, but it's
> 	  still a security risk.

Think what happens if the target execs suid-root binary in the middle of your
call.  After you've done your check.  E.g. during copy_from_user().

On the read side we actually recheck permissions after having copied into
buffer and if the check fails we don't copy that buffer into userland.
Not feasible on the write side...

next prev parent reply	other threads:[~2011-03-03 19:46 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-03  2:07 [PATCH] Enable writing to /proc/PID/mem Stephen Wilson
2011-03-03  2:22 ` KOSAKI Motohiro
2011-03-03 19:38   ` Stephen Wilson
2011-03-03 19:46     ` Al Viro [this message]
2011-03-03 21:58       ` Stephen Wilson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110303194626.GN22723@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=npiggin@kernel.dk \
    --cc=rientjes@google.com \
    --cc=roland@redhat.com \
    --cc=wilsons@start.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox