oss-sec mailing list archives
Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC)
From: Linus Torvalds <torvalds () linux-foundation org>
Date: Tue, 28 Jun 2011 17:49:24 -0700
On Tue, Jun 28, 2011 at 5:12 PM, Linus Torvalds <torvalds () linux-foundation org> wrote:
If rounding the counts to a 1k granularity will indeed defeat the attack (I'm unsure) then I'd suggest that a fix would be to perform that fuzzification if the receiving process doesn't have suitable permissions. So if the user is reading his own stats or is root, he still gets byte-resolution results. This keeps the stats as useful as we can make them and reduces the back-compatibility damage.Sure.
Actually, due to the whole netlink thing, it's not obvious who the data goes to, so I think the taskstats interface simply needs to round unconditionally. If you want the exact thing, you can use /proc/<pid>/io, which now does the security checking as per Vasiliy. So some patch like the appended? Vasiliy, this is different from your 2/2, but it's simpler and I think sufficient. And shouldn't break iotop. What do you think? I agree that it's not perfect, but it seems to be sufficient at least for the particular passwd attack, no? Or is there some way you can fool sshd to read some other user-supplied data so that you can trick it into giving multiple values that you control, and thus see exactly when the IO counts overflow.. Linus
Attachment:
patch.diff
Description:
Current thread:
- taskstats authorized_keys presence infoleak PoC Vasiliy Kulikov (Jun 21)
- Re: taskstats authorized_keys presence infoleak PoC Josh Bressers (Jun 21)
- Re: taskstats authorized_keys presence infoleak PoC Vasiliy Kulikov (Jun 21)
- CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 24)
- Re: CVE request: kernel: taskstats/procfs io infoleak Vasiliy Kulikov (Jun 25)
- Re: CVE request: kernel: taskstats/procfs io infoleak Eugene Teo (Jun 26)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 26)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Andrew Morton (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 29)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
- Re: taskstats authorized_keys presence infoleak PoC Josh Bressers (Jun 21)
- Re: CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Josh Bressers (Jun 28)
- Re: CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Eugene Teo (Jun 28)