From: Solar Designer <solar@openwall.com>
To: Andi Kleen <ak@suse.de>
Cc: Willy Tarreau <wtarreau@hera.kernel.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] getsockopt() early argument sanity checking
Date: Sun, 20 Aug 2006 20:16:02 +0400 [thread overview]
Message-ID: <20060820161602.GA20163@openwall.com> (raw)
In-Reply-To: <200608201034.43588.ak@suse.de>
On Sun, Aug 20, 2006 at 10:34:43AM +0200, Andi Kleen wrote:
> In general I don't think it makes sense to submit stuff for 2.4
> that isn't in 2.6.
In general I agree, however right now I had the choice between
submitting these changes for 2.4 first and not submitting them at all
(at least for some months more). I chose the former.
> > The patch makes getsockopt(2) sanity-check the value pointed to by
> > the optlen argument early on. This is a security hardening measure
> > intended to prevent exploitation of certain potential vulnerabilities in
> > socket type specific getsockopt() code on UP systems.
>
> It's not only insufficient on SMP, but even on UP where a thread
> can sleep in get_user and another one can run in this time.
Good point. However, what about this special case? -
We're on UP. sys_getsockopt() does get_user() (due to the patch) and
makes sure that the passed *optlen is sane. Even if this get_user()
sleeps, the value it returns in "len" is what's currently in memory at
the time of the get_user() return (correct?) Then an underlying
*getsockopt() function does another get_user() on optlen (same address),
without doing any other user-space data accesses or anything else that
could sleep first. Is it possible that this second get_user()
invocation would sleep? I think not since it's the same address that
we've just read a value from, we did not leave kernel space, and we're
on UP (so no other processor could have changed the mapping). So the
patch appears to be sufficient for this special case (which is not
unlikely).
Of course, it is possible that I am wrong about some of the above;
please correct me if so.
> If there is really a length checking bug somewhere it needs to be
> fixed in a race-free way.
Indeed, all known bugs need to be fixed properly.
Thanks,
Alexander
next prev parent reply other threads:[~2006-08-20 16:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-19 23:05 [PATCH] getsockopt() early argument sanity checking Solar Designer
2006-08-19 23:48 ` Willy Tarreau
2006-08-20 0:05 ` Michael Buesch
2006-08-20 0:43 ` Willy Tarreau
2006-08-20 19:44 ` David Miller
2006-08-20 20:35 ` Willy Tarreau
2006-08-20 21:12 ` Arjan van de Ven
2006-08-21 12:09 ` Eugene Teo
2006-08-20 8:34 ` Andi Kleen
2006-08-20 10:15 ` Willy Tarreau
2006-08-20 10:50 ` YOSHIFUJI Hideaki / 吉藤英明
2006-08-20 19:46 ` David Miller
2006-08-20 16:16 ` Solar Designer [this message]
2006-08-20 16:30 ` Arjan van de Ven
2006-08-20 19:47 ` David Miller
2006-08-20 18:38 ` Andi Kleen
2006-08-20 19:45 ` Solar Designer
2006-08-20 19:45 ` David Miller
2006-08-20 18:15 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060820161602.GA20163@openwall.com \
--to=solar@openwall.com \
--cc=ak@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wtarreau@hera.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).