[patch] lockf(3) user-exploitable kernel panic
Devon H. O'Dell
dodell at sitetronics.com
Wed Apr 14 04:54:47 PDT 2004
Jilles Tjoelker wrote:
> e) add a line 'struct proc;' to sys/ucred.h
Thanks for this suggestion; I wasn't aware that this was reasonably
possible from an architectural standpoint.
>>3) Does this work justify my going through the modified files and doing
>>style(9) changes on them? I'm willing to do this; mux@ has encouraged
>>it; style(9) suggests that I do it if my code comprises 50% or more of
>>the new files (which it doesn't). Again, if this is useful, I'll
>>certainly do this.
>
>
> Some of the files have a mixture of K&R-style and ANSI function
> definitions.
I'll look into implementing style(9) changes then. I know my patch fails
a style(9) check in some contexts, so I'll go a general cleanup as well.
>>8) Are any of the modifications I've made too intrusive to the
>>[proc|advlock|rlimit|sysctl] subsystem(s)?
>
>
> Rather a lot of functions and programs (setusercontext(3) in libutil,
> limits(1), rlimit-related builtins in all shells) have knowledge of all
> the rlimits built into them. This is already a bit of a problem, for
> example bash doesn't support the socket buffer size rlimit. Also note
> that those programs often use single letters for the rlimits.
My fix for sh's builtin(1) ulimit feature does implement a single letter
feature for limiting locks. In my reading of the sh ulimit code, I saw
that these limits are really not dynamic at all... one is thus unable to
create a generic interface for use in all shells, although it appears
that libutil tries to provide this interface. It's a pity that it's not
used in the contexts it should be.
>>9) What (extra) suggestions would you have for my patches for relevant
>>manpages?
>
>
>>10) Have I missed any userland utilities that don't use libutil to
>>check/set classes/limits (perhaps there are some in ports that I can
>>patch as well)?
>
>
> limits(1), all shells.
sh has been fixed. I was under the impression that csh used libutil for
this (libutil has been fixed). I'll take a deeper look into shells in
base and in ports and figure out what changes I need to make there.
While I'm at it, I don't think it'd be a bad idea to go ahead and build
in the RLIMIT_SBSIZE to bash and bash2.
I'm not entirely sure what information I need to list in all the
manpages, but I'll get that sorted out.
>>This patch is against April 13th -CURRENT but backporting it is very
>>simple since the main affected subsystem doesn't change much
>>architecturally / structurally. However, this also brings into light
>>that this problem may also affect the other BSDs (Dragonfly, Net, Open,
>>Ekko). I cannot verify this as I do not have much experience with these
>>other BSDs and do not know if they impose any limits on the amount of
>>kernel memory a user can have or any other limits which would disallow
>>this to exploit to ``work''. Should they be affected, what do I need to
>>do to alert them of this?
>
>
> Limiting the number of locked regions is not uncommon, e.g. Solaris does
> it (the manpage seems to indicate a per-system limitation only, though).
>
> Interesting part from Linux getrlimit(2) manpage:
> RLIMIT_LOCKS
> A limit on the combined number of flock() locks and fcntl()
> leases that this process may establish (Linux 2.4 and later).
>
> Per-user instead of per-process limits are harder to implement but
> more effective.
Ok. I was not aware that Linux had this fix / feature already. I'll take
a look into the CVS repos of the other BSDs and see if it's something I
can suggest a patch for in those worlds.
The reason I asked was because I don't have access to many boxes of
different architectures or operating systems. Indeed, my patch
implements per-user limits, but keeps track per-process for the purpose
of removing locks on a setuid() call. In the beginning, I thought that
it would be necessary for process termination, but since fdfree() is
called in kern_exit.c and the locks are released sequentially across the
whole file (the whole file is unlocked and the for (;;) code in
kern_lockf.c will unlock this), I see that it is unnecessary for this
purpose.
Are there ideas on how I could implement the lock transfer between users
without intruding on the process structure, or is this something that's
reasonable?
>>[snip]
> Refer to fcntl(2) in preference to lockf(3). While lockf(3) locks
> typically are implemented using fcntl(2), SUSv3 doesn't say anything
> about interaction between the two. Also, lockf(3) is marked XSI, but
> fcntl(2) locking is not.
Point taken.
> The sysctl(3) and sysctl(8) manpages haven't been updated, but I'm not
> sure whether that's useful.
Right. I'll need to list my new sysctl. Thanks for the reminder.
Thanks for the feedback, Jilles. I really appreciate the architectural
help and explinations you've given to me both here on-list and on Freenode.
I'll let you guys know when I've an updated patch incorporating these
changes.
Kind regards,
Devon H. O'Dell
More information about the freebsd-arch
mailing list