From: Philipp Reisner <philipp.reisner@linbit.com>
To: Greg KH <greg@kroah.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
dm-devel@redhat.com, Evgeniy Polyakov <zbr@ioremap.net>,
linux-fbdev-devel@lists.sourceforge.net
Subject: Re: [PATCH 0/8] SECURITY ISSUE with connector
Date: Fri, 2 Oct 2009 17:54:12 +0200 [thread overview]
Message-ID: <200910021754.12940.philipp.reisner@linbit.com> (raw)
In-Reply-To: <20091002135859.GA9383@kroah.com>
> On Fri, Oct 02, 2009 at 02:40:03PM +0200, Philipp Reisner wrote:
> > Affected: All code that uses connector, in kernel and out of mainline
> >
> > The connector, as it is today, does not allow the in kernel receiving
> > parts to do any checks on privileges of a message's sender.
>
> So, assume I know nothing about the connector architecture, what does
> this mean in a security context?
>
Think of the connector as a layer on top of netlink that allows more
than a hard coded number of subsystems to use netlink.
Netlink is used e.g. to modify routing tables in the kernel.
As it is today, subsystem utilising the connector can not examine
the capabilities of the user/program that sent the netlink message.
If the same would be true for netlink, than every unprivileged user
could change the routing tables on your box.
> > I know, there are not many out there that like connector, but as
> > long as it is in the kernel, we have to fix the security issues it has!
>
> And what specifically are the security issues?
>
unprivileged users can trigger operations that are supposed to be only
accessible to users having CAP_SYS_ADMIN (or some other CAP_XXX)
> > Please either drop connector, or someone who feels a bit responsible
> > and has our beloved dictator's blessing, PLEASE PLEASE PLEASE take
> > this into your tree, and send the pull request to Linus.
> >
> > Patches 1 to 4 are already Acked-by Evgeny, the connector's maintainer.
> > Patches 5 to 7 are the obvious fixes to the connector user's code.
>
> Obvious in what way?
>
They limit processing of connector/netlink messages in these subsystems
to messages sent from root (or some user having CAP_SYS_ADMIN).
That is obvious for dst, because device setup and destruction is done by
connector messages.
This is obvious for pohmelfs becuase these connector messages are
used there to change some configuration.
This is obvious for uvesafb because the connector messages are used
there to delegate some video bios emulation to userspace.
Last not least dm's dirty logging in user space, should be immune to
some crafted netlink packets sent by some unprivileged user.
Patches 1 to 4 fix the framework, should be merged as soon as possible.
Patches 5 to 8 (not 7) should probably be blessed by the affected
subsystem's maintainers. I think I have put all on CC.
HTH.
-phil
WARNING: multiple messages have this Message-ID (diff)
From: Philipp Reisner <philipp.reisner@linbit.com>
To: Greg KH <greg@kroah.com>
Cc: linux-fbdev-devel@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, dm-devel@redhat.com,
Evgeniy Polyakov <zbr@ioremap.net>,
Andrew Morton <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 0/8] SECURITY ISSUE with connector
Date: Fri, 2 Oct 2009 17:54:12 +0200 [thread overview]
Message-ID: <200910021754.12940.philipp.reisner@linbit.com> (raw)
In-Reply-To: <20091002135859.GA9383@kroah.com>
> On Fri, Oct 02, 2009 at 02:40:03PM +0200, Philipp Reisner wrote:
> > Affected: All code that uses connector, in kernel and out of mainline
> >
> > The connector, as it is today, does not allow the in kernel receiving
> > parts to do any checks on privileges of a message's sender.
>
> So, assume I know nothing about the connector architecture, what does
> this mean in a security context?
>
Think of the connector as a layer on top of netlink that allows more
than a hard coded number of subsystems to use netlink.
Netlink is used e.g. to modify routing tables in the kernel.
As it is today, subsystem utilising the connector can not examine
the capabilities of the user/program that sent the netlink message.
If the same would be true for netlink, than every unprivileged user
could change the routing tables on your box.
> > I know, there are not many out there that like connector, but as
> > long as it is in the kernel, we have to fix the security issues it has!
>
> And what specifically are the security issues?
>
unprivileged users can trigger operations that are supposed to be only
accessible to users having CAP_SYS_ADMIN (or some other CAP_XXX)
> > Please either drop connector, or someone who feels a bit responsible
> > and has our beloved dictator's blessing, PLEASE PLEASE PLEASE take
> > this into your tree, and send the pull request to Linus.
> >
> > Patches 1 to 4 are already Acked-by Evgeny, the connector's maintainer.
> > Patches 5 to 7 are the obvious fixes to the connector user's code.
>
> Obvious in what way?
>
They limit processing of connector/netlink messages in these subsystems
to messages sent from root (or some user having CAP_SYS_ADMIN).
That is obvious for dst, because device setup and destruction is done by
connector messages.
This is obvious for pohmelfs becuase these connector messages are
used there to change some configuration.
This is obvious for uvesafb because the connector messages are used
there to delegate some video bios emulation to userspace.
Last not least dm's dirty logging in user space, should be immune to
some crafted netlink packets sent by some unprivileged user.
Patches 1 to 4 fix the framework, should be merged as soon as possible.
Patches 5 to 8 (not 7) should probably be blessed by the affected
subsystem's maintainers. I think I have put all on CC.
HTH.
-phil
next prev parent reply other threads:[~2009-10-02 15:54 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-02 12:40 [PATCH 0/8] SECURITY ISSUE with connector Philipp Reisner
2009-10-02 12:40 ` [PATCH 1/8] connector: Keep the skb in cn_callback_data Philipp Reisner
2009-10-02 12:40 ` [PATCH 2/8] connector: Provide the sender's credentials to the callback Philipp Reisner
2009-10-02 12:40 ` [PATCH 3/8] connector/dm: Fixed a compilation warning Philipp Reisner
2009-10-02 12:40 ` [PATCH 4/8] connector: Removed the destruct_data callback since it is always kfree_skb() Philipp Reisner
2009-10-02 12:40 ` [PATCH 5/8] dm/connector: Only process connector packages from privileged processes Philipp Reisner
2009-10-02 12:40 ` [PATCH 6/8] dst/connector: Disallow unpliviged users to configure dst Philipp Reisner
2009-10-02 12:40 ` [PATCH 7/8] pohmelfs/connector: Disallow unpliviged users to configure pohmelfs Philipp Reisner
2009-10-02 12:40 ` [PATCH 8/8] uvesafb/connector: Disallow unpliviged users to send netlink packets Philipp Reisner
2009-10-02 16:40 ` [PATCH 5/8] dm/connector: Only process connector packages from privileged processes Jonathan Brassow
2009-10-02 13:58 ` [PATCH 0/8] SECURITY ISSUE with connector Greg KH
2009-10-02 15:54 ` Philipp Reisner [this message]
2009-10-02 15:54 ` Philipp Reisner
2009-10-02 16:10 ` Greg KH
2009-10-02 16:10 ` Greg KH
2009-10-02 16:57 ` David Miller
2009-10-02 16:57 ` David Miller
2009-10-02 16:21 ` Lars Ellenberg
2009-10-02 16:21 ` Lars Ellenberg
2009-10-02 17:56 ` David Miller
2009-10-02 18:00 ` Greg KH
2009-10-02 18:05 ` David Miller
2009-10-02 18:05 ` David Miller
2009-10-02 18:15 ` Greg KH
2009-10-04 10:24 ` Evgeniy Polyakov
2009-10-04 10:24 ` Evgeniy Polyakov
2009-10-09 22:25 ` Greg KH
2009-10-09 22:25 ` Greg KH
2009-10-13 9:28 ` [PATCH 0/7] SECURITY ISSUE with connector for 2.6.31.y Philipp Reisner
2009-10-13 9:28 ` [PATCH 1/7] connector: Keep the skb in cn_callback_data Philipp Reisner
2009-10-13 9:28 ` [PATCH 2/7] connector: Provide the sender's credentials to the callback Philipp Reisner
2009-10-13 9:28 ` [PATCH 3/7] connector: Removed the destruct_data callback since it is always kfree_skb() Philipp Reisner
2009-10-13 9:28 ` [PATCH 4/7] dm/connector: Only process connector packages from privileged processes Philipp Reisner
2009-10-13 9:28 ` [PATCH 5/7] dst/connector: Disallow unpliviged users to configure dst Philipp Reisner
2009-10-13 9:28 ` [PATCH 6/7] pohmelfs/connector: Disallow unpliviged users to configure pohmelfs Philipp Reisner
2009-10-13 9:28 ` [PATCH 7/7] uvesafb/connector: Disallow unpliviged users to send netlink packets Philipp Reisner
2009-10-13 16:25 ` [PATCH 0/7] SECURITY ISSUE with connector for 2.6.31.y Serge E. Hallyn
2009-10-15 18:29 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200910021754.12940.philipp.reisner@linbit.com \
--to=philipp.reisner@linbit.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=dm-devel@redhat.com \
--cc=greg@kroah.com \
--cc=linux-fbdev-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.