Move utrace into task_struct

2008.07.02
Risk: Low
Local: Yes
Remote: No
CWE: CWE-362


CVSS Base Score: 4.7/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Regardless of future of "struct utrace utrace;" patch looks like there is another race: engine's flags and ops settings in utrace_detach() and acting on them in report_quiescent(): utrace_detach() report_quiescent() --------------- ------------------ [utrace lock held] [utrace lock is not held] engine->flags = UTRACE_EVENT(QUIESCE) | UTRACE_ACTION_QUIESCE; if (engine->flags & UTRACE_EVENT(QUIESCE)) REPORT(report_quiesce); rcu_assign_pointer(engine->ops, &dead_engine_ops); At the moment of REPORT call engine's ops are still "live" ptrace ops which do not have ->report_quiesce callback. So, there will oops while calling function at NULL address. "Dead" ptrace engine ops do have dummy callback but it wasn't yet glued. I hit this once with "struct utrace utrace;" patch applied, but this bug is also present in stock utrace, I'm sure. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

References:

http://www.openwall.com/lists/oss-security/2008/06/26/1
http://rhn.redhat.com/errata/RHSA-2008-0508.html
https://bugzilla.redhat.com/show_bug.cgi?id=449359
http://www.securityfocus.com/bid/29945
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/late-ptrace-may-attach-check.c?cvsroot=systemtap
http://marc.info/?l=linux-kernel&m=117863520707703&w=2
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f5b40e363ad6041a96e3da32281d8faa191597b9
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f358166a9405e4f1d8e50d8f415c26d95505b6de
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=5ecfbae093f0c37311e89b29bfc0c9d586eace87


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top