Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 May 2014 22:51:39 +0200
From:      Mateusz Guzik <mjguzik@gmail.com>
To:        Chagin Dmitry <dchagin@freebsd.org>
Cc:        src-committers@freebsd.org, svn-src-user@freebsd.org
Subject:   Re: svn commit: r265327 - in user/dchagin/lemul/sys: amd64/linux amd64/linux32 compat/linux conf i386/linux modules/linux modules/linux64
Message-ID:  <20140505205138.GB17831@dft-labs.eu>
In-Reply-To: <20140505202533.GA9747@dchagin.static.corbina.net>
References:  <201405041559.s44FxWdj053353@svn.freebsd.org> <20140504180749.GA17835@dft-labs.eu> <20140505050204.GA1307@dchagin.static.corbina.net> <20140505153218.GA17831@dft-labs.eu> <20140505202533.GA9747@dchagin.static.corbina.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 06, 2014 at 12:25:33AM +0400, Chagin Dmitry wrote:
> On Mon, May 05, 2014 at 05:32:18PM +0200, Mateusz Guzik wrote:
> > On Mon, May 05, 2014 at 09:02:04AM +0400, Chagin Dmitry wrote:
> > > On Sun, May 04, 2014 at 08:07:49PM +0200, Mateusz Guzik wrote:
> > > >         switch (args->op) {
> > > >         case LINUX_EPOLL_CTL_MOD:
> > > >                 /*
> > > >                  * We don't memorize which events were set for this FD
> > > >                  * on this level, so just delete all we could have set:
> > > >                  * EVFILT_READ and EVFILT_WRITE, ignoring any errors
> > > >                  */
> > > >                 error = epoll_delete_all_events(td, epfp, args->fd);
> > > > 
> > > > Again a lookup.
> > > > 
> > > > Whether this particular problem could be used to do something nasty I don't
> > > > know, but playing like this is asking for trouble.
> > > > 
> > > > The only solution I see is to modify kqueue functions to accept fps.
> > > > 
> > > 
> > > reason? to prevent extra fget? or something else?
> > > 
> > 
> > Having multpiple lookups for the same fd number may lead to different
> > fps, which may or may not be used to cause inconsistencies which in turn
> > may or may not be exploitable to either crash the kernel or escalate
> > privileges.
> > 
> > That said, the concern is that a malicious user could try to work
> > something out from this.
> > 
> 
> Hi, may be enough to keep file ref?
> 

Yeah, just fget what you need and only pass fp around. Note to check
that fp->f_type == DTYPE_KQUEUE.

So just change kern_kevent to grab fp instead of fd and assert proper
fp->f_type.

Similarly for other functions grabbing fd instead of fp (if any).

-- 
Mateusz Guzik <mjguzik gmail.com>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140505205138.GB17831>