From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] getsockopt() early argument sanity checking
Date: Mon, 21 Aug 2006 03:00:22 +0000 (UTC) [thread overview]
Message-ID: <ecb7k6$grh$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 20060819230532.GA16442@openwall.com
Solar Designer wrote:
>The patch makes getsockopt(2) sanity-check the value pointed to by
>the optlen argument early on. This is a security hardening measure
>intended to prevent exploitation of certain potential vulnerabilities in
>socket type specific getsockopt() code on UP systems.
This looks broken to me. It has a TOCTTOU (time-of-check-to-time-of-use)
vulnerability (i.e., race condition): you read the length value twice,
and assume that you will get the same value both times. That assumption
is not valid.
It looks like it will be easy to bypass this check. For instance,
think about what happens if an adversary stores the length field in a
mmaped region, for instance. It should be easy for the value of that
length field to change between when it was first read and when it was
subsequently read. I don't see how this provides any "hardening" if
the attacker knows how to read kernel source code. Am I missing
something?
next prev parent reply other threads:[~2006-08-21 3:00 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-19 23:05 [PATCH] getsockopt() early argument sanity checking Solar Designer
2006-08-19 23:48 ` Willy Tarreau
2006-08-20 0:05 ` Michael Buesch
2006-08-20 0:43 ` Willy Tarreau
2006-08-20 19:44 ` David Miller
2006-08-20 20:35 ` Willy Tarreau
2006-08-20 21:12 ` Arjan van de Ven
2006-08-21 12:09 ` Eugene Teo
2006-08-20 8:34 ` Andi Kleen
2006-08-20 10:15 ` Willy Tarreau
2006-08-20 10:50 ` YOSHIFUJI Hideaki / 吉藤英明
2006-08-20 19:46 ` David Miller
2006-08-20 16:16 ` Solar Designer
2006-08-20 16:30 ` Arjan van de Ven
2006-08-20 19:47 ` David Miller
2006-08-20 18:38 ` Andi Kleen
2006-08-20 19:45 ` Solar Designer
2006-08-20 19:45 ` David Miller
2006-08-20 18:15 ` Alan Cox
2006-08-21 3:00 ` David Wagner [this message]
2006-08-21 8:24 ` Solar Designer
-- strict thread matches above, loose matches on Subject: below --
2006-08-20 18:57 Manfred Spraul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ecb7k6$grh$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox