Date: Fri, 3 Feb 2017 15:44:28 -0800 From: Kees Cook <keescook@...gle.com> To: Xing Gao <xgao01@...il.wm.edu> Cc: LKML <linux-kernel@...r.kernel.org>, Thomas Gleixner <tglx@...utronix.de>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Jessica Frazelle <me@...sfraz.com>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: /proc/timer_list leaks the real pids of the associated processes On Fri, Feb 3, 2017 at 2:29 PM, Xing Gao <xgao01@...il.wm.edu> wrote: > Dear Thomas and Kees, > > I posted a bug report on bugzilla, and John asked me to send it the lkml. > > Here is the link, https://bugzilla.kernel.org/show_bug.cgi?id=193921 > > Please cc to me when you reply this email. > > And please check the information below. > > The pseudo file /proc/timer_list leaks the real pids of the associated > processes. > > The function print_timer(kernel/time/timer_list.c) displays > timer->start_pid, which is set inside the function > __timer_stats_timer_set_start_info (kernel/time/timer.c). This is the real > pid, rather than the pid in the pid namespace. If the user within a > container retrieves the content of /proc/timer_list, this file will leak the > real pid of the associated process. I feel like this has been pointed out before, but I can't find the email about it. Regardless, yeah, this looks true: SEQ_printf(m, ", %s/%d", tmp, timer->start_pid); #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570 Seems like this should be made namespace aware... (and why is this file needed at all? Seems like it should live in debugfs not proc). -Kees -- Kees Cook Pixel Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.