public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Thomas Gleixner <tglx@linutronix.de>
To: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Kees Cook <keescook@chromium.org>,
	linux-kernel@vger.kernel.org,
	Darren Hart <dvhart@linux.intel.com>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Andrew Morton <akpm@linux-foundation.org>,
	Jiri Kosina <jkosina@suse.cz>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	David Howells <dhowells@redhat.com>,
	kernel-hardening@lists.openwall.com, spender@grsecurity.net,
	mingo@kernel.org
Subject: Re: [PATCH] futex: do not leak robust list to unprivileged process
Date: Tue, 20 Mar 2012 18:02:49 +0100 (CET)	[thread overview]
Message-ID: <alpine.LFD.2.02.1203201758220.2542@ionos> (raw)
In-Reply-To: <20120320133141.GC2918@peqn>

On Tue, 20 Mar 2012, Serge Hallyn wrote:

> Quoting Kees Cook (keescook@chromium.org):
> > It was possible to extract the robust list head address from a setuid
> > process if it had used set_robust_list(), allowing an ASLR info leak. This
> > changes the permission checks to be the same as those used for similar
> > info that comes out of /proc.
> > 
> > Running a setuid program that uses robust futexes would have had:
> >   cred->euid != pcred->euid
> >   cred->euid == pcred->uid
> > so the old permissions check would allow it. I'm not aware of any setuid
> > programs that use robust futexes, so this is just a preventative measure.
> > 
> > (This patch is based on changes from grsecurity.)
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> 
> I like the change.  Much cleaner.  I'm not 100% sure though that
> there are no legitimate cases of robust futexes use which would now
> be forbidden.  (Explicitly cc:ing Ingo)

get_robust_list is not necessary for robust futexes. There is no
reference to get_robust_list in glibc.

I really wonder why we have this syscall at all.

Thanks,

	tglx

  reply	other threads:[~2012-03-20 17:02 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-19 23:12 [PATCH] futex: do not leak robust list to unprivileged process Kees Cook
2012-03-20 13:31 ` Serge Hallyn
2012-03-20 17:02   ` Thomas Gleixner [this message]
2012-03-20 17:11     ` Kees Cook
2012-03-20 17:23       ` Ingo Molnar
2012-03-22 23:46         ` Thomas Gleixner
2012-03-23 17:58           ` [PATCH] futex: mark get_robust_list as deprecated Kees Cook
2012-03-23 18:27             ` Thomas Gleixner
2012-03-23 19:08               ` Kees Cook
2012-03-23 19:08               ` [PATCH v2] " Kees Cook
2012-03-23 22:06                 ` Eric W. Biederman
2012-03-23 22:10                   ` Kees Cook
2012-03-30  5:05                   ` Matt Helsley
2012-03-30  6:14                     ` Pavel Emelyanov
2012-03-30 22:51                     ` Gene Cooperman
2012-03-27 18:05                 ` Josh Boyer
2012-03-27 19:13                   ` Peter Zijlstra
2012-03-29  9:56                 ` [tip:core/locking] futex: Mark " tip-bot for Kees Cook
2012-08-02 10:35                 ` [PATCH v2] futex: mark " richard -rw- weinberger
2012-08-02 11:11                   ` Eric W. Biederman
2012-08-03 10:17                     ` richard -rw- weinberger
2012-08-03 11:02                       ` Cyrill Gorcunov
2012-08-03 11:19                         ` richard -rw- weinberger
2012-08-03 11:27                           ` Cyrill Gorcunov
2012-08-03 11:30                             ` richard -rw- weinberger
2012-08-03 11:35                               ` Cyrill Gorcunov
2012-08-03 11:38                                 ` richard -rw- weinberger
2012-08-03 12:38                         ` Pavel Emelyanov
2012-08-03 12:58                           ` Eric W. Biederman
2012-08-03 13:00                             ` richard -rw- weinberger
2012-08-03 17:16                             ` Kees Cook
2012-03-28 18:33           ` [PATCH] futex: do not leak robust list to unprivileged process Kees Cook
2012-03-28 21:24             ` Thomas Gleixner
2012-03-29  9:55 ` [tip:core/locking] futex: Do " tip-bot for Kees Cook
2012-06-19  1:41   ` Wanlong Gao
2012-06-19  2:24     ` Serge Hallyn
2012-06-19  2:32       ` Wanlong Gao
2012-06-19  3:13         ` Serge Hallyn
2012-06-19  3:21           ` Wanlong Gao
2012-06-19 12:23             ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.LFD.2.02.1203201758220.2542@ionos \
    --to=tglx@linutronix.de \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=dvhart@linux.intel.com \
    --cc=ebiederm@xmission.com \
    --cc=jkosina@suse.cz \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=serge.hallyn@canonical.com \
    --cc=spender@grsecurity.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox