linux, säkerhet

6084520 2001-02-11 02:32 +0100  /29 rader/ Joost Pol2 <nohican@BADCODING.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-12  20:05  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: nohican@BADCODING.ORG
Mottagare: Bugtraq (import) <15360>
Kommentar till text 6077539 av Greg KH <greg@WIREX.COM>
Ärende: Re: Linux kernel sysctl() vulnerability
------------------------------------------------------------
From: Joost Pol2 <nohican@BADCODING.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010211023200.A5410@badcoding.org>

'Night all,

Should this not be fixed in copyout/copyin instead?

It probarly occurs at other places instead of sysctl as well.

Kind regards,
Joost Pol alias Nohican (nohican@root66.org)
:wq

On Sat, Feb 10, 2001 at 02:43:38PM -0800, Greg KH wrote:
> On Sat, Feb 10, 2001 at 10:28:01AM +0100, Florian Weimer wrote:
> >
> > The following trivial patch should fix this issue.
>
> Here's the patch that Alan accepted and put into 2.2.18-pre9 to fix this
> problem.
>
> greg k-h
>
> --
> greg@(kroah|wirex).com
> http://immunix.org/~greg
(6084520) ------------------------------------------
6084610 2001-02-11 12:02 +0000  /25 rader/ Stephen White <swhite@OX.COMPSOC.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-12  20:22  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: swhite@OX.COMPSOC.NET
Mottagare: Bugtraq (import) <15361>
Kommentar till text 6077058 av Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
Ärende: Re: Linux kernel sysctl() vulnerability
------------------------------------------------------------
On Sat, Feb, 2001, Florian Weimer wrote:
> Chris Evans <chris@SCARY.BEASTS.ORG> writes:
> > There exists a Linux system call sysctl() which is used to query and
> > modify runtime system settings. Unprivileged users are permitted to query
> > the value of many of these settings.
>
> The following trivial patch should fix this issue. (I wonder how you
> can audit code for such vulnerabilities.  It's probably much easier to
> rewrite it in Ada. ;-)

The attached kernel module should sanitise input to the sysctl sycall
to prevent the problem without forcing a kernel recompile or upgrade.
I assume the vulnerability can't be exploited via the /proc sysctl
interface.

Unfortunately the module does nothing for the ptrace race condition,
though a module to disable ptrace would be trivial it would disable
strace and some features of gdb and so on.

--
Stephen White              \    OU Compsoc System Administration Team
PGP Key ID: 0xC79E5B6A      \      System Administration Co-ordinator
<swhite@ox.compsoc.net>      \         http://ox.compsoc.net/~swhite/
(6084610) --------------------------------(Ombruten)
Bilaga (text/plain) i text 6084611
6084611 2001-02-11 12:02 +0000  /76 rader/ Stephen White <swhite@OX.COMPSOC.NET>
Importerad: 2001-02-12  20:22  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: swhite@OX.COMPSOC.NET
Mottagare: Bugtraq (import) <15362>
Bilaga (text/plain) till text 6084610
Ärende: Bilaga till: Re: Linux kernel sysctl() vulnerability
------------------------------------------------------------
/* Stephen White 10/2/2001
   swhite@ox.compsoc.net

   sysctl_fix.c, compile:
   gcc -Wall -DMODULE -D__KERNEL__ -c sysctl_fix.c

   (on Redhat/UltraSparc with
	sparc64-linux-gcc -m64 -mno-fpu -mcmodel=medlow -mcpu=ultrasparc
	-ffixed-g4 -fcall-used-g5 -fcall-used-g7 -Wall -DMODULE
-D__KERNEL__
	-c sysctl_fix.c )

   Prevent sysctl exploit discovered by Chris Evans by properly validating
	input against negative numbers,
	
*/

#include <linux/kernel.h>
#include <linux/config.h>

#include <linux/module.h>
#include <linux/version.h>

#include <linux/types.h>
#include <linux/errno.h>
#include <linux/sched.h>
#include <sys/syscall.h>
#include <linux/linkage.h>

#include <asm/uaccess.h>

#include <linux/sysctl.h>

extern void *sys_call_table[];

int (*old_sysctl)(struct __sysctl_args *args);

asmlinkage int validate_sysctl(struct __sysctl_args *args)
{
	struct __sysctl_args tmp;

	if(copy_from_user(&tmp, args, sizeof(tmp)))
		return -EFAULT;

	if (tmp.nlen < 0) goto bad;

	if (tmp.oldval) {
		int old_len;
		if (copy_from_user(&old_len, tmp.oldlenp, sizeof(old_len)))
                        return -EFAULT;
		if (old_len < 0) goto bad;
	}

	if (tmp.newval)
		if (tmp.newlen < 0) goto bad;

	return (*old_sysctl)(args);

bad:
	printk("sysctl: arguments failed sanity check for user %i\n",current->uid);
	return  -EINVAL;
}

int init_module()
{
  old_sysctl = sys_call_table[__NR__sysctl];
  sys_call_table[__NR__sysctl] = validate_sysctl;

  return 0;
}

void cleanup_module()
{
  sys_call_table[__NR__sysctl] = old_sysctl;
}
(6084611) --------------------------------(Ombruten)