From: Bryan Jacobs <its@easytoremember.us>
To: linux-kernel@vger.kernel.org
Subject: /proc/[pid]/mem write implications
Date: Sat, 28 Jan 2012 20:32:50 -0500 [thread overview]
Message-ID: <20120128203250.090abec6@easytoremember.us> (raw)
[-- Attachment #1: Type: text/plain, Size: 2183 bytes --]
Dear LKML,
I have a few questions on the recent change to allow writing
to /proc/[pid]/mem. If I understand correctly, the recent
privilege-escalation vulnerability was fundamentally caused by
incorrectly verifying that the memory being written to by a process was
its own. The goal was to only allow processes to write to their own
memory space - this was deemed harmless.
But I think that allowing arbitrary processes to write to **their own**
memory via a file descriptor might in itself be problematic. Please,
help me understand how this is safe.
Imagine an interpreted program running in a "secure" virtual machine.
This machine makes certain guarantees about program behavior
(typing, method privacy, &c) which it verifies through a
combination of static analysis and runtime checks. These guarantees rely
on the VM being able to instrument certain calls with the
aforementioned runtime safety checks. The VM runs in the same address
space as the interpreted program.
A concrete example of one such virtual machine is the Java VM. Another
is the PHP interpreter.
Now, let's say this VM has a function for opening a file in the local
filesystem. It outsources permissions checking to the host system; any
file which the user launching the VM could read or write, the VM could
also.
Let's say I run some interpreted code which opens up /proc/self/mem,
seeks it to the VM's location in memory (possibly using a signature I
know to orient myself in a randomized address space), I find the
portion of the VM's code which handles the dynamic checking, and I
brutally write NOPs all over it.
Now whenever the VM goes to make a safety check, it will pass, leaving
any interpreted code hosted by that VM free to do whatever it likes!
I see that this could be countered by SELinux or other MAC schemes, but
it seems to me like there may be a few ramifications to allowing
arbitrary-address writes to one's own virtual address space which
haven't been fully explored - or at least, I haven't seen any bulletins
or significant discussion.
Please, let the more knowledgeable correct me. I want to be wrong very
badly.
Bryan Jacobs
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next reply other threads:[~2012-01-29 1:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-29 1:32 Bryan Jacobs [this message]
2012-01-29 3:36 ` /proc/[pid]/mem write implications Cong Wang
2012-01-29 14:19 ` Alan Cox
2012-01-30 8:10 ` Indan Zupancic
2012-01-29 14:21 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120128203250.090abec6@easytoremember.us \
--to=its@easytoremember.us \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox