Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Feb 2017 15:44:28 -0800
From: Kees Cook <keescook@...gle.com>
To: Xing Gao <xgao01@...il.wm.edu>
Cc: LKML <linux-kernel@...r.kernel.org>, Thomas Gleixner <tglx@...utronix.de>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Jessica Frazelle <me@...sfraz.com>, 
	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: /proc/timer_list leaks the real pids of the associated processes

On Fri, Feb 3, 2017 at 2:29 PM, Xing Gao <xgao01@...il.wm.edu> wrote:
> Dear Thomas and Kees,
>
> I posted a bug report on bugzilla, and John asked me to send it the lkml.
>
> Here is the link, https://bugzilla.kernel.org/show_bug.cgi?id=193921
>
> Please cc to me when you reply this email.
>
> And please check the information below.
>
> The pseudo file /proc/timer_list leaks the real pids of the associated
> processes.
>
> The function print_timer(kernel/time/timer_list.c) displays
> timer->start_pid, which is set inside the function
> __timer_stats_timer_set_start_info (kernel/time/timer.c). This is the real
> pid, rather than the pid in the pid namespace. If the user within a
> container retrieves the content of /proc/timer_list, this file will leak the
> real pid of the associated process.

I feel like this has been pointed out before, but I can't find the
email about it. Regardless, yeah, this looks true:

        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);

 #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570

Seems like this should be made namespace aware... (and why is this
file needed at all? Seems like it should live in debugfs not proc).

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.