From: Artur Skawina <art_k@o2.pl>
To: gcc@gcc.gnu.org, linux-kernel@vger.kernel.org
Subject: Re: RELEASE BLOCKER: Linux doesn't follow x86/x86-64 ABI wrt direction flag
Date: Thu, 06 Mar 2008 22:37:55 +0100 [thread overview]
Message-ID: <47D06433.1010502@o2.pl> (raw)
In-Reply-To: <20080306201633.GM27983@randombit.net>
Jack Lloyd wrote:
> But still: so the threat here is of a malicious process with the
> ability to send arbitrary signals to any process using CAP_KILL (since
> in any other case when a process can send a signal, it can do much
> more damage in other ways), which could leverage that into
> (potentially) uid==0 using misexecuted code in a signal handler.
>
> As a correctness issue, obviously this should be fixed/patched around,
> if feasible. But as a security flaw? I'm not seeing much that is
> compelling.
>
>> 2) sometimes setuid programs send signals (e.g. SIGHUP or SIGUSR1)
>
> I don't understand how this is a problem - unless these setuid
> programs, while not malicious, can be tricked into signalling a
> process they did not intend to. (In which case they already have a
> major bug, df bit being cleared or not).
think apps keeping crypto keys etc in ram and wiping them from signal
handlers. eg gnupg does this; fortunately it seems to have moved from
memset() to a open coded solution, so probably isn't affected. OTOH
it wouldn't surprise me these days if the compiler would emit string
ops even w/o an explicit mem* call.
Copying a private memory region to some public buffer could also lead
to interesting results...
IOW being able to avoid a memset (or copying the wrong data) certainly
could have security consequences.
artur
next prev parent reply other threads:[~2008-03-06 21:38 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 15:30 Linux doesn't follow x86/x86-64 ABI wrt direction flag Aurelien Jarno
2008-03-05 16:00 ` H. Peter Anvin
2008-03-05 19:58 ` Joe Buck
2008-03-05 20:23 ` Aurelien Jarno
2008-03-05 20:38 ` Michael Matz
2008-03-05 20:42 ` Joe Buck
2008-03-05 20:49 ` Jan Hubicka
2008-03-05 21:02 ` Michael Matz
2008-03-05 21:20 ` RELEASE BLOCKER: " Joe Buck
2008-03-05 21:32 ` Richard Guenther
2008-03-05 21:34 ` H. Peter Anvin
2008-03-05 21:40 ` Richard Guenther
2008-03-05 22:16 ` David Miller
2008-03-05 22:37 ` Joe Buck
2008-03-05 22:51 ` Michael Matz
2008-03-05 22:58 ` H. Peter Anvin
2008-03-05 23:07 ` Michael Matz
2008-03-05 23:10 ` David Miller
2008-03-05 23:16 ` Joe Buck
2008-03-05 23:12 ` Olivier Galibert
2008-03-05 21:43 ` Joe Buck
2008-03-05 21:44 ` Richard Guenther
[not found] ` <738B72DB-A1D6-43F8-813A-E49688D05771@apple.com>
2008-03-05 21:59 ` Michael Matz
2008-03-05 22:13 ` Adrian Bunk
2008-03-05 22:21 ` David Miller
2008-03-05 23:13 ` Olivier Galibert
2008-03-06 0:36 ` Chris Lattner
2008-03-06 0:47 ` H. Peter Anvin
[not found] ` <578FCA7D-D7A6-44F6-9310-4A97C13CDCBE@apple.com>
2008-03-06 1:12 ` H. Peter Anvin
2008-03-06 9:17 ` Jakub Jelinek
2008-03-06 13:51 ` Olivier Galibert
2008-03-06 14:03 ` Paolo Bonzini
2008-03-06 14:12 ` Olivier Galibert
2008-03-06 14:15 ` Andrew Haley
2008-03-06 17:58 ` Joe Buck
2008-03-06 18:10 ` Olivier Galibert
2008-03-06 18:13 ` Paolo Bonzini
2008-03-06 18:31 ` Jack Lloyd
2008-03-06 18:35 ` Andrew Pinski
2008-03-06 19:44 ` Paolo Bonzini
2008-03-06 19:43 ` Paolo Bonzini
2008-03-06 20:16 ` Jack Lloyd
2008-03-06 21:37 ` Artur Skawina [this message]
2008-03-06 15:09 ` Robert Dewar
2008-03-06 15:37 ` NightStrike
2008-03-06 15:43 ` H.J. Lu
2008-03-06 15:50 ` H. Peter Anvin
2008-03-06 16:23 ` Jakub Jelinek
2008-03-06 16:27 ` İsmail Dönmez
2008-03-06 16:58 ` H.J. Lu
2008-03-06 17:06 ` H. Peter Anvin
2008-03-06 17:14 ` H.J. Lu
2008-03-06 17:17 ` H. Peter Anvin
2008-03-06 17:34 ` H.J. Lu
2008-03-06 19:35 ` Robert Dewar
2008-03-06 17:18 ` Robert Dewar
2008-03-06 17:19 ` H. Peter Anvin
2008-03-06 19:25 ` Robert Dewar
2008-03-06 20:37 ` H. Peter Anvin
2008-03-07 8:28 ` Florian Weimer
2008-03-07 8:00 ` Andreas Jaeger
2008-03-06 15:57 ` Robert Dewar
2008-03-06 16:29 ` Paolo Bonzini
2008-03-06 17:18 ` H. Peter Anvin
2008-03-06 16:14 ` Artur Skawina
2008-03-06 0:49 ` Aurelien Jarno
2008-03-05 22:05 ` H. Peter Anvin
2008-03-06 2:11 ` Krzysztof Halasa
2008-03-06 8:44 ` Andi Kleen
2008-03-06 9:01 ` Jakub Jelinek
2008-03-06 15:20 ` H. Peter Anvin
2008-03-05 21:45 ` Aurelien Jarno
2008-03-05 21:43 ` Andrew Pinski
2008-03-05 21:43 ` Michael Matz
2008-03-05 22:12 ` Joe Buck
2008-03-05 22:17 ` David Miller
2008-03-05 23:17 ` Olivier Galibert
2008-03-05 23:21 ` David Daney
2008-03-06 14:06 ` Olivier Galibert
2008-03-08 19:10 ` Alexandre Oliva
2008-03-05 21:07 ` H. Peter Anvin
2008-03-05 20:44 ` H. Peter Anvin
2008-03-05 20:52 ` Aurelien Jarno
2008-03-05 21:23 ` David Miller
2008-03-06 9:53 ` Andrew Haley
2008-03-06 11:45 ` Andi Kleen
2008-03-06 12:06 ` Richard Guenther
2008-03-06 17:34 ` Joe Buck
2008-03-06 20:54 ` Richard Guenther
2008-03-06 20:56 ` H. Peter Anvin
2008-03-06 22:06 ` Andi Kleen
2008-03-07 4:56 ` Chris Lattner
2008-03-07 14:09 ` Michael Matz
2008-03-06 9:45 ` Mikael Pettersson
2008-03-05 16:56 ` H.J. Lu
2008-03-05 18:14 ` [PATCH] x86: Clear DF before calling signal handler Aurelien Jarno
2008-03-05 18:17 ` H. Peter Anvin
2008-03-06 9:21 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47D06433.1010502@o2.pl \
--to=art_k@o2.pl \
--cc=gcc@gcc.gnu.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).