On Tue, 27 Sep 2005 17:58:00 +0100, Alan Cox <[email protected]> wrote:
> On Maw, 2005-09-27 at 09:09 -0700, Linus Torvalds wrote:
> > > root-owned), then the urb completes, and kill_proc_info() sends the
> > > signal to the unsuspecting process.
> >
> > Ehh.. pid's don't get re-used until they wrap.
>
> Which doesn't take very long to arrange. Relying on pids is definitely a
> security problem we don't want to make worse than it already is.
The whole application cannot exit and leave URBs running behind,
because usbdevio_release() blocks until they are terminated.
Only separate threads can exit.
So, the only thing a malicious user can do is something like this:
- open /proc/bus/usb/BUS/DEV
- submit URB
- fork
- exit parent thread
- wait in the child until PIDs wrap very close to former parent
- exit and hope that someone forks while the exit is processing
Right? But if so, why don't we do something like this:
submit_urb()
as->pid = current->pid;
as->tgid = current->tgid;
.....
async_complete()
__kill_same_process(as->pid, as->tgid);
/* DO NOT USE IN DRIVERS (other than USB core) */
__kill_same_process(pid_t pid, pid_t tgid) {
task_struct *we, *maybe_parent;
lock(&tasklist_lock);
we = find_task_by_pid(pid);
maybe_parent = find_task_by_tgid(pid);
if (maybe_parent != NULL && we->parent == maybe_parent)
send_sig_info(sig, info, we);
unlock(&tasklist_lock);
}
This does not need to check any IDs, I think. Then we do not have to
ponder if effective or real is more appropriate, and if any sort of
new-fanged security thingies like capabilities apply.
-- Pete
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]