Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 2 Nov 2016 22:30:08 -0400
From: Dave Tian <dave.jing.tian@...il.com>
To: kernel-hardening@...ts.openwall.com
Cc: Adam Sampson <ats@...og.org>
Subject: Re: Legitimate use of /proc/PID/mem,maps and smaps

On Nov 2, 2016, at 8:54 PM, Marian Marinov <mm-l@...u.biz> wrote:
> 
> On 11/02/2016 06:10 PM, Adam Sampson wrote:
>> Marian Marinov <mm-l@...u.biz> writes:
>> 
>>> Are there any other legitimate users of these files, maybe X?
>> This is the kind of question that Debian Code Search is useful for
>> (although it's not exhaustive):
>> https://codesearch.debian.net/search?q=%2Fproc%2Fself%2Fmem&perpkg=1
>> https://codesearch.debian.net/search?q=%2Fproc%2Fself%2Fmaps&perpkg=1
>> https://codesearch.debian.net/search?q=%2Fproc%2Fself%2Fsmaps&perpkg=1
>> 
>> >From my bug-hunting experience, programs use /proc/self/maps for all
>> sorts of weird things -- e.g. working out the full path of the
>> executable, or what version of a shared library they've been linked
>> against, or guessing whether some random value is a valid pointer. Many
>> have embedded copies of code from gettext or BinReloc that uses it.
>> 
>> On the other hand, many of these don't actually need all the information
>> in /proc/self/maps, so you could get away with a simplified version that
>> only had valid filenames.
>> 
> Hmm I probably did not explained what I want. I know I can not (easily)limit a program to access its own memory(that would be stupid).
> 
> Pretend that user joe is running top and his top has pid of 1154. Now joe runs a php script and that script wants to open /proc/1154/maps and so on.
> 
> I believe that the kernel should not allow the php process(even thou it is from the same user to read those files, that are private to the top application). Actually I would like to make them invisible for all processes and users except the program that is the actual owner of the files and privileges users.
> 
> Does that seam logical to you guys?
> 
> 
> Marian


Sounds reasonable. However, this still does not solve the dirty cow case where a thread is able to access its own mem to access whatever shared by the main thread.

-daveti


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.