Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 24 Jul 2012 16:29:00 +0100
From: Djalal Harouni <tixxdz@...ndz.org>
To: linux-kernel@...r.kernel.org,
	kernel-hardening@...ts.openwall.com,
	Al Viro <viro@...iv.linux.org.uk>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Vasiliy Kulikov <segoon@...nwall.com>,
	WANG Cong <xiyou.wangcong@...il.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Solar Designer <solar@...nwall.com>,
	Kees Cook <keescook@...omium.org>,
	David Rientjes <rientjes@...gle.com>,
	Brad Spengler <spender@...ecurity.net>
Cc: Djalal Harouni <tixxdz@...ndz.org>
Subject: [PATCH v2 0/2] proc: /proc/<pid>/environ offset fixes

Hi,

This is the V2 to correctly check offsets on /proc/<pid>/environ before
reading. This was previously discussed here:
http://lkml.org/lkml/2012/7/22/79

Due to incorrect offset checks, currently one can read from aribtrary
addresses on /proc/<pid>/environ, not only the environment address range
as shown here (the same thread):
http://lkml.org/lkml/2012/7/22/163

The bug is in environ_read().


That first patch was not complete as noted by Oleg Nestrov, since even
with positive offsets we can perhaps overflow the address from where to
read the environment variables, or perhaps we can make multiple lseek()
calls with a positive offset set to 0x7fffffff, this will pass the
fs/read_write.c:lseek_execute() checks, and one can make the
'mm->env_addr + offset' point to another VMA. This will make
/proc/<pid>/environ to act like /proc/<pid>/mem.

The first version removed only negative offsets which when converted to
unsigned long will overflow the 'mm->env_addr + offset' the address from
where to start to read the environment variables, and will also pass all
the fs/read_write.c:lseek_execute() and environ_read() checks.

As suggested by Oleg Nesterov this version makes sure to fix the offset
checks, then it removes negative offsets support on /proc/<pid>/environ
since it does not need them.


Thanks to patch 'proc: clean up /proc/<pid>/environ handling'
commit b409e578d9a4ec95913e ,this is not a security issue since at
->open() there is: the ptrace check + save the current 'mm' for next
operations.


Djalal Harouni (2):
  proc: environ_read() make sure offset points to environment address range
  proc: do not allow negative offsets on /proc/<pid>/environ

 fs/proc/base.c |   22 +++++++++++++---------
  1 files changed, 13 insertions(+), 9 deletions(-)


V2:
 * Added the [PATCH 1/2] to make sure that the offset points to the
   environment address range as suggested by Oleg Nesterov.
 * Updated the [PATCH 2/2] changelog entry since we have added [PATCH 1/2]

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.