Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 May 2012 11:07:59 -0500
From: Will Drewry <wad@...omium.org>
To: linux-kernel@...r.kernel.org
Cc: mcgrathr@...gle.com,
	hpa@...or.com,
	indan@....nu,
	netdev@...isplace.org,
	linux-security-module@...r.kernel.org,
	kernel-hardening@...ts.openwall.com,
	mingo@...hat.com,
	oleg@...hat.com,
	peterz@...radead.org,
	rdunlap@...otime.net,
	tglx@...utronix.de,
	luto@....edu,
	serge.hallyn@...onical.com,
	pmoore@...hat.com,
	akpm@...ux-foundation.org,
	corbet@....net,
	markus@...omium.org,
	coreyb@...ux.vnet.ibm.com,
	keescook@...omium.org,
	viro@...iv.linux.org.uk,
	jmorris@...ei.org,
	Will Drewry <wad@...omium.org>
Subject: [RFC PATCH 1/3] seccomp: Don't allow tracers to abuse RET_TRACE

Ensure that consumers of the PTRACE_EVENT_SECCOMP notification
cannot change the system call number for the traced task
without it resulting in the system call being skipped.

Traditionally, tracers will set the system call number to
-1 to skip the system call. This behavior will work as expected
but the tracer will be unable to remap the system call to a valid
system call after the seccomp policy has been evaluated.

Signed-off-by: Will Drewry <wad@...omium.org>
---
 kernel/seccomp.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index ee376be..33f0ad6 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -425,6 +425,10 @@ int __secure_computing(int this_syscall)
 			 */
 			if (fatal_signal_pending(current))
 				break;
+			/* Skip the system call if the tracer changed it. */
+			if (this_syscall !=
+			    syscall_get_nr(current, task_pt_regs(current)))
+				goto skip;
 			return 0;
 		case SECCOMP_RET_ALLOW:
 			return 0;
-- 
1.7.9.5

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.