[Users] 2.6.18-194.8.1.el5.028stab070.2 (was: [Announce] New kernel released: RHEL5 testing 2.6.18-194.8.1.el5 028stab070.2)

Solar Designer solar at openwall.com
Sat Jul 10 15:32:13 EDT 2010 

Kir,

Since you set Reply-To on these announcements to point to the users
list, I thought I'd reply in public. ;-)

On Sat, Jul 10, 2010 at 07:37:11PM +0400, Kir Kolyshkin wrote:
> OpenVZ project has released an updated RHEL5 based
> testing kernel. Read below for more information.

Thank you for starting to make these kernels available - this is helpful
for our project.

> Since 028stab069.6:
> * Rebased to 194.8.1.el5 kernel (security fixes, see links below)
> * Fixed some memory leaks in timer and ipv4 code
> * Added dummy /proc/sys/kernel/hotplug file to CTs to make udev happy
> * Backported support for /proc/*/stack to query task's stack trace
> * Fixed a set of bugs in bonding driver
> * A compilation fix (#1425)

I've interdiff'ed 069.6 vs. 070.2 and looked through the changes.  Here
are a few curious ones I spotted, which were not clear from the list
above and from the Red Hat advisory and CVEs:

--- linux-2.6.18.ovz/fs/ioprio.c	2010-05-29 12:46:59.000000000 +0400
+++ linux-2.6.18.ovz/fs/ioprio.c	2010-07-08 20:01:52.000000000 +0400
@@ -92,7 +92,7 @@
 			if (!who)
 				p = current;
 			else
-				p = find_task_by_pid_all(who);
+				p = find_task_by_pid_ve(who);
 			if (p)
 				ret = set_task_ioprio(p, ioprio);
 			break;

This could have been nasty, but this is sys_ioprio_set(), which starts with:

	if (!ve_is_super(get_exec_env()))
		return -EPERM;

So I guess we were OK either way?

diff -u linux-2.6.18.ovz/fs/proc/base.c linux-2.6.18.ovz/fs/proc/base.c
--- linux-2.6.18.ovz/fs/proc/base.c	2010-05-29 12:46:59.000000000 +0400
+++ linux-2.6.18.ovz/fs/proc/base.c	2010-07-08 20:01:52.000000000 +0400
[...]
@@ -260,6 +262,9 @@
 #ifdef CONFIG_TASK_IO_ACCOUNTING
 	E(PROC_TGID_IO,             "io",  S_IFREG|S_IRUGO),
 #endif
+#ifdef CONFIG_STACKTRACE_PROC
+	E(PROC_TGID_STACK,     "stack",   S_IFREG|S_IRUGO),
+#endif
 
 	{0,0,NULL,0}
 };
@@ -307,6 +312,9 @@
 #ifdef CONFIG_TASK_IO_ACCOUNTING
 	E(PROC_TID_IO,         "io",      S_IFREG|S_IRUGO),
 #endif
+#ifdef CONFIG_STACKTRACE_PROC
+	E(PROC_TID_STACK,      "stack",   S_IFREG|S_IRUGO),
+#endif
 
 	{0,0,NULL,0}
 };

S_IRUGO looks risky.  For the stack, it could mean ASLR bypass and
infoleaks.  For I/O, it could mean subtle infoleaks (via precise timing
of I/O stats changes).  Luckily, for the stack this is dealt with:

@@ -587,6 +595,43 @@
 }
 #endif /* CONFIG_KALLSYMS */
 
+static int proc_pid_stack(struct task_struct *task, char *buffer)
+{
+	struct stack_trace trace;
+	unsigned long *entries;
+	int i, ret = 0;
+
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;

Yet it'd feel cleaner to restrict the perms.

For I/O, the issue appears to be there (I did not check for it on a
running kernel, though).

I recommend that you harden the perms on both kinds of /proc entries.
Of course, this is not OpenVZ-specific.

diff -u linux-2.6.18.ovz/kernel/sysctl.c linux-2.6.18.ovz/kernel/sysctl.c
--- linux-2.6.18.ovz/kernel/sysctl.c	2010-05-29 12:47:01.000000000 +0400
+++ linux-2.6.18.ovz/kernel/sysctl.c	2010-07-08 20:01:52.000000000 +0400
@@ -635,8 +635,10 @@
 		.data		= &uevent_helper,
 		.maxlen		= UEVENT_HELPER_PATH_LEN,
 		.mode		= 0644,
-		.proc_handler	= &proc_dostring,
-		.strategy	= &sysctl_string,
+		.proc_handler	= &proc_dostring_ve_immutable,
+		.strategy	= &sysctl_string_ve_immutable,
+		.extra1		= "",
+		.virt_handler	= 1,
 	},
 #endif
 #ifdef CONFIG_CHR_DEV_SG

What was the impact of not doing it before?

Thanks again,

Alexander

More information about the Users mailing list