Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752886AbcD2F7D (ORCPT ); Fri, 29 Apr 2016 01:59:03 -0400 Received: from mail-yw0-f195.google.com ([209.85.161.195]:36230 "EHLO mail-yw0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751907AbcD2F7B (ORCPT ); Fri, 29 Apr 2016 01:59:01 -0400 MIME-Version: 1.0 In-Reply-To: <20160428142622.92fad67c88152341075e4294@linux-foundation.org> References: <1461870258-17970-1-git-send-email-minipli@googlemail.com> <20160428142622.92fad67c88152341075e4294@linux-foundation.org> Date: Fri, 29 Apr 2016 07:59:00 +0200 Message-ID: Subject: Re: [PATCH] proc: prevent accessing /proc//environ until it's ready From: Mathias Krause To: Andrew Morton Cc: "linux-kernel@vger.kernel.org" , Emese Revfy , Pax Team , Al Viro , Mateusz Guzik , Alexey Dobriyan , Cyrill Gorcunov , Jarod Wilson Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1289 Lines: 27 On 28 April 2016 at 23:26, Andrew Morton wrote: > On Thu, 28 Apr 2016 21:04:18 +0200 Mathias Krause wrote: > >> If /proc//environ gets read before the envp[] array is fully set >> up in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying >> to read more bytes than are actually written, as env_start will already >> be set but env_end will still be zero, making the range calculation >> underflow, allowing to read beyond the end of what has been written. >> >> Fix this as it is done for /proc//cmdline by testing env_end for >> zero. It is, apparently, intentionally set last in create_*_tables(). >> >> This bug was found by the PaX size_overflow plugin that detected the >> arithmetic underflow of 'this_len = env_end - (env_start + src)' when >> env_end is still zero. > > So what are the implications of this? From my reading, a craftily > constructed application could occasionally read arbitrarily large > amounts of kernel memory? I don't think access_remote_vm() is capable of that. So, the only consequence is, userland trying to access /proc//environ of a not yet fully set up process may get inconsistent data as we're in the middle of copying in the environment variables. Regards, Mathias