On Mon, Jul 16, 2018 at 12:03:39AM +0200, Ingo Molnar wrote: > > * Jann Horn <ja...@google.com> wrote: > > > - A malicious user can pass an arbitrary file to a setuid binary as > > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to > > be something normal, like a proper file or a pipe) then calls read(0, > > <buf>, <len>), if the kernel disregards the length argument and writes > > beyond the end of the buffer, it can corrupt adjacent userspace data, > > potentially allowing a user to escalate their privileges; a write > > handler is somewhat less interesting because it can probably (as in > > this case) only leak out-of-bounds data from the caller, not corrupt > > it, but it's still a concern in theory. > > BTW., a naive question: would it make sense to simply disallow 'special' > fds to be passed to setuid binaries, and fix any user-space that breaks? > (i.e. only allow regular files and pipes/sockets.)
*Ugh* You do realize that there's a lot of magical mystery shite that looks like regular files? And what's wrong with directories, BTW? While we are at it, "passed" in which sense? Via SCM_RIGHTS? Those are only get accepted if recepient explicitly asks for those - simple read() or recv() will have them quietly discarded, special or not. And if it's "inherit over execve()"... Your definition *will* break. Instantly. Right as you try to run su or sudo, with stdin/stdout/stderr all going to a character device. Terminal, that is. Frankly, something like copyin_limited(buf, len, kbuf, size) and several similar helpers would be a lot more productive than open-coding these checks over and over or trying to come up with definitions of "special" that would work. BTW, what's the point open-coding if (sscanf(line, "base=%ull size=%ull type=%s", &base, &size, &type) != 3) return -EINVAL; if ((base & 0xfff) || (size & 0xfff)) return -EINVAL; i = match_string(mtrr_strings, MTRR_NUM_TYPES, type); if (i < 0) return i; as if (strncmp(line, "base=", 5)) return -EINVAL; base = simple_strtoull(line + 5, &ptr, 0); ptr = skip_spaces(ptr); if (strncmp(ptr, "size=", 5)) return -EINVAL; size = simple_strtoull(ptr + 5, &ptr, 0); if ((base & 0xfff) || (size & 0xfff)) return -EINVAL; ptr = skip_spaces(ptr); if (strncmp(ptr, "type=", 5)) return -EINVAL; ptr = skip_spaces(ptr + 5); i = match_string(mtrr_strings, MTRR_NUM_TYPES, ptr); if (i < 0) return i; Saving the copying of 'type' (which we need since '%n' is declared useless)?