summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-11-02 21:38:44 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2011-11-03 00:07:00 +0100
commitaa6afca5bcaba8101f3ea09d5c3e4100b2b9f0e5 (patch)
treed8a6fec9d15cbaf37513a18666f5611aa7cb7a83 /lib
parentprocfs: report EISDIR when reading sysctl dirs in proc (diff)
downloadlinux-aa6afca5bcaba8101f3ea09d5c3e4100b2b9f0e5.tar.xz
linux-aa6afca5bcaba8101f3ea09d5c3e4100b2b9f0e5.zip
proc: fix races against execve() of /proc/PID/fd**
fd* files are restricted to the task's owner, and other users may not get direct access to them. But one may open any of these files and run any setuid program, keeping opened file descriptors. As there are permission checks on open(), but not on readdir() and read(), operations on the kept file descriptors will not be checked. It makes it possible to violate procfs permission model. Reading fdinfo/* may disclosure current fds' position and flags, reading directory contents of fdinfo/ and fd/ may disclosure the number of opened files by the target task. This information is not sensible per se, but it can reveal some private information (like length of a password stored in a file) under certain conditions. Used existing (un)lock_trace functions to check for ptrace_may_access(), but instead of using EPERM return code from it use EACCES to be consistent with existing proc_pid_follow_link()/proc_pid_readlink() return code. If they differ, attacker can guess what fds exist by analyzing stat() return code. Patched handlers: stat() for fd/*, stat() and read() for fdindo/*, readdir() and lookup() for fd/ and fdinfo/. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Cc: Cyrill Gorcunov <gorcunov@gmail.com> Cc: <stable@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions