From: Serge Hallyn <serge.hallyn@canonical.com>
To: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Cc: mingo@kernel.org, hpa@zytor.com, linux-kernel@vger.kernel.org,
dvhart@linux.intel.com, a.p.zijlstra@chello.nl, jkosina@suse.cz,
ebiederm@xmission.com, dhowells@redhat.com,
keescook@chromium.org, tglx@linutronix.de,
linux-tip-commits@vger.kernel.org
Subject: Re: [tip:core/locking] futex: Do not leak robust list to unprivileged process
Date: Mon, 18 Jun 2012 22:13:06 -0500 [thread overview]
Message-ID: <20120619031306.GA3985@sergelap> (raw)
In-Reply-To: <4FDFE4B1.80500@cn.fujitsu.com>
Quoting Wanlong Gao (gaowanlong@cn.fujitsu.com):
> On 06/19/2012 10:24 AM, Serge Hallyn wrote:
> > Quoting Wanlong Gao (gaowanlong@cn.fujitsu.com):
> >> On 03/29/2012 05:55 PM, tip-bot for Kees Cook wrote:
> >>> Commit-ID: bdbb776f882f5ad431aa1e694c69c1c3d6a4a5b8
> >>> Gitweb: http://git.kernel.org/tip/bdbb776f882f5ad431aa1e694c69c1c3d6a4a5b8
> >>> Author: Kees Cook <keescook@chromium.org>
> >>> AuthorDate: Mon, 19 Mar 2012 16:12:53 -0700
> >>> Committer: Thomas Gleixner <tglx@linutronix.de>
> >>> CommitDate: Thu, 29 Mar 2012 11:37:17 +0200
> >>>
> >>> futex: Do not leak robust list to unprivileged process
> >>>
> >>> It was possible to extract the robust list head address from a setuid
> >>> process if it had used set_robust_list(), allowing an ASLR info leak. This
> >>> changes the permission checks to be the same as those used for similar
> >>> info that comes out of /proc.
> >>>
> >>> Running a setuid program that uses robust futexes would have had:
> >>> cred->euid != pcred->euid
> >>> cred->euid == pcred->uid
> >>> so the old permissions check would allow it. I'm not aware of any setuid
> >>> programs that use robust futexes, so this is just a preventative measure.
> >>>
> >>
> >> I'm not sure this change prevents the unprivileged process.
> >> Please refer to LTP test, recently I saw that this change broke
> >> the following test.
> >>
> >> https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/get_robust_list/get_robust_list01.c#L155
> >> if (seteuid(1) == -1)
> >> tst_brkm(TBROK|TERRNO, cleanup, "seteuid(1) failed");
> >>
> >> TEST(retval = syscall(__NR_get_robust_list, 1,
> >> (struct robust_list_head *)&head,
> >> &len_ptr));
> >>
> >> We set the euid to an unprivileged user, and expect to FAIL with EPERM,
> >> without this patch, it FAIL as we expected, but with it, this call succeed.
> >
> > This relates to a question I asked - I believe in this thread, maybe in
> > another thread - about ptrace_may_access. That code goes back further than
> > our git history, and for so long has used current->uid and ->gid, not
> > euid and gid, for permission checks. I asked if that's what we really
> > want, but at the same am not sure we want to change something that's
> > been like that for so long.
> >
> > But that's why it succeeded - you changed your euid, not your uid.
>
> Yeah, I known what I'm doing.
Didn't mean to offend :)
> I just wonder which is the right thing.
> Should we check euid or uid ? You mean that checking uid instead of
> checking euid for a long time, right?
Yup, and I agree it seems wrong.
-serge
next prev parent reply other threads:[~2012-06-19 3:13 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-19 23:12 [PATCH] futex: do not leak robust list to unprivileged process Kees Cook
2012-03-20 13:31 ` Serge Hallyn
2012-03-20 17:02 ` Thomas Gleixner
2012-03-20 17:11 ` Kees Cook
2012-03-20 17:23 ` Ingo Molnar
2012-03-22 23:46 ` Thomas Gleixner
2012-03-23 17:58 ` [PATCH] futex: mark get_robust_list as deprecated Kees Cook
2012-03-23 18:27 ` Thomas Gleixner
2012-03-23 19:08 ` Kees Cook
2012-03-23 19:08 ` [PATCH v2] " Kees Cook
2012-03-23 22:06 ` Eric W. Biederman
2012-03-23 22:10 ` Kees Cook
2012-03-30 5:05 ` Matt Helsley
2012-03-30 6:14 ` Pavel Emelyanov
2012-03-30 22:51 ` Gene Cooperman
2012-03-27 18:05 ` Josh Boyer
2012-03-27 19:13 ` Peter Zijlstra
2012-03-29 9:56 ` [tip:core/locking] futex: Mark " tip-bot for Kees Cook
2012-08-02 10:35 ` [PATCH v2] futex: mark " richard -rw- weinberger
2012-08-02 11:11 ` Eric W. Biederman
2012-08-03 10:17 ` richard -rw- weinberger
2012-08-03 11:02 ` Cyrill Gorcunov
2012-08-03 11:19 ` richard -rw- weinberger
2012-08-03 11:27 ` Cyrill Gorcunov
2012-08-03 11:30 ` richard -rw- weinberger
2012-08-03 11:35 ` Cyrill Gorcunov
2012-08-03 11:38 ` richard -rw- weinberger
2012-08-03 12:38 ` Pavel Emelyanov
2012-08-03 12:58 ` Eric W. Biederman
2012-08-03 13:00 ` richard -rw- weinberger
2012-08-03 17:16 ` Kees Cook
2012-03-28 18:33 ` [PATCH] futex: do not leak robust list to unprivileged process Kees Cook
2012-03-28 21:24 ` Thomas Gleixner
2012-03-29 9:55 ` [tip:core/locking] futex: Do " tip-bot for Kees Cook
2012-06-19 1:41 ` Wanlong Gao
2012-06-19 2:24 ` Serge Hallyn
2012-06-19 2:32 ` Wanlong Gao
2012-06-19 3:13 ` Serge Hallyn [this message]
2012-06-19 3:21 ` Wanlong Gao
2012-06-19 12:23 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120619031306.GA3985@sergelap \
--to=serge.hallyn@canonical.com \
--cc=a.p.zijlstra@chello.nl \
--cc=dhowells@redhat.com \
--cc=dvhart@linux.intel.com \
--cc=ebiederm@xmission.com \
--cc=gaowanlong@cn.fujitsu.com \
--cc=hpa@zytor.com \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).