Re: [PATCH] Enable writing to /proc/PID/mem.

From: Al Viro
Date: Thu Mar 03 2011 - 14:46:51 EST

Next message: Hans Nieser: "Re: Mass udp flow reboot linux with RealTek RTL-8169 Gigabit"
Previous message: Stephen Wilson: "Re: [PATCH] Enable writing to /proc/PID/mem."
In reply to: Stephen Wilson: "Re: [PATCH] Enable writing to /proc/PID/mem."
Next in thread: Stephen Wilson: "Re: [PATCH] Enable writing to /proc/PID/mem."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 03, 2011 at 02:38:02PM -0500, Stephen Wilson wrote:
> > I haven't found any problem in this patch. But, I really believe we need
> > to understand why it was marked "security hazard". Al, I guess you know it,
> > right? So, can you please talk us your mention?
>
> I did a bit more digging trying to find why mem_write was marked a security
> hazard.
>
> It goes back to 2.4.0-test10pre4. Unfortunately, the changelog entry is
> not at all informative either:
>
> - disable writing to /proc/xxx/mem. Sure, it works now, but it's
> still a security risk.

Think what happens if the target execs suid-root binary in the middle of your
call. After you've done your check. E.g. during copy_from_user().

On the read side we actually recheck permissions after having copied into
buffer and if the check fails we don't copy that buffer into userland.
Not feasible on the write side...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Hans Nieser: "Re: Mass udp flow reboot linux with RealTek RTL-8169 Gigabit"
Previous message: Stephen Wilson: "Re: [PATCH] Enable writing to /proc/PID/mem."
In reply to: Stephen Wilson: "Re: [PATCH] Enable writing to /proc/PID/mem."
Next in thread: Stephen Wilson: "Re: [PATCH] Enable writing to /proc/PID/mem."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]