From: Dan Rosenberg <drosenberg@vsecurity.com>
To: chas@cmf.nrl.navy.mil, davem@davemloft.net, kuznet@ms2.inr.ac.ru,
pekkas@netcore.fi, jmorris@namei.org, yoshfuji@linux-ipv6.org,
kaber@trash.net, remi.denis-courmont@nokia.com
Cc: netdev@vger.kernel.org, security@kernel.org
Subject: [SECURITY] Fix leaking of kernel heap addresses via /proc
Date: Sat, 06 Nov 2010 16:11:47 -0400 [thread overview]
Message-ID: <1289074307.3090.100.camel@Dan> (raw)
Maintainers,
I am planning on submitting a series of patches to resolve the leakage
of kernel heap addresses to userspace via network protocol /proc
interfaces. Revealing this information is a bad idea from a security
perspective for a number of reasons, the most obvious of which is it
provides unprivileged users a mechanism by which to create a structure
in the kernel heap containing function pointers, obtain the address of
that structure, and overwrite those function pointers by leveraging
other vulnerabilities. It is my hope that by eliminating this
information leakage, in conjunction with making statically-declared
function pointer tables read-only (to be done in a separate patch
series), we can at least add a small hurdle for the exploitation of a
subset of kernel vulnerabilities.
Here's the list of protocols that I've identified as leaking socket
structure addresses via their /proc interfaces:
atm
ipv4
ipv6
key
netlink
packet
phonet
unix
There may be others, and I will continue looking for more examples, but
this is at least a good start.
Clearly, in most cases we cannot just remove the field from the /proc
output, as this would break a number of userspace programs that rely on
consistency. However, I propose that we replace the address with a "0"
rather than leaking this information.
I'm writing this email before submitting a patch to ask if anyone would
have any objections to this change, and if anyone can foresee anything
breaking as a result of this. Please let me know if you're on board,
have some doubts, or are totally opposed, and I can get this patch ready
for submission.
Thanks,
Dan Rosenberg
next reply other threads:[~2010-11-06 20:11 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-06 20:11 Dan Rosenberg [this message]
2010-11-06 20:50 ` [Security] [SECURITY] Fix leaking of kernel heap addresses via /proc Linus Torvalds
2010-11-06 23:48 ` Ted Ts'o
2010-11-07 21:52 ` Andi Kleen
2010-11-07 22:48 ` Chas Williams (CONTRACTOR)
2010-11-07 23:14 ` Andi Kleen
2010-11-07 23:22 ` Linus Torvalds
2010-11-07 23:29 ` Andi Kleen
2010-11-07 23:27 ` Dan Rosenberg
2010-11-07 23:56 ` Andi Kleen
2010-11-08 2:01 ` David Miller
2010-11-08 7:33 ` Eric Dumazet
2010-11-08 9:43 ` Andi Kleen
2010-11-08 10:14 ` Eric Dumazet
2010-11-06 23:57 ` David Miller
2010-11-07 10:28 ` Oliver Hartkopp
2010-11-07 17:11 ` Ben Hutchings
2010-11-08 1:00 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1289074307.3090.100.camel@Dan \
--to=drosenberg@vsecurity.com \
--cc=chas@cmf.nrl.navy.mil \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=remi.denis-courmont@nokia.com \
--cc=security@kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).