Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 59905
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Marc Ballarin <Ballarin.Marc@gmx.de>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
plasmaroo: ()

Filename Description Type Creator Created Size Actions
proc-race.patch 2.6 patch devised by Roger Luethi (already included in -mm kernels) patch Marc Ballarin 2004-08-09 15:16 0000 281 bytes Details | Diff
cmdlineLeak-2.4.patch 2.4 Patch patch Tim Yamin (RETIRED) 2004-08-09 15:32 0000 388 bytes Details | Diff
proc_pid_cmdline-race-fix.patch 2.6: Full patch from the -mm tree patch Greg Kroah-Hartman 2004-08-09 15:40 0000 693 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 59905 depends on: Show dependency tree
Bug 59905 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-08-09 15:14 0000 
There is another race condition in the proc filesystem.
When reading /proc/<pid>/cmdline of a process that is just being created, it is possible to get the contents of /proc/<pid>/environ, too.
Since environ has stricter permissions than cmdline this is by definition a privilege escalation.
Fortunately, it is not very critical, since environ mostly doesn't contain sensitive data and the race is very hard to trigger, even if you own the process. (Actually I don't know how this can really be used on foreign processes.)

However, this issue might also cause unreproducable and undebuggable bugs in shell scripts that parse the output of "ps x". This is much more likely than a malicious exploit, and has probably been observed by at least one user while installing HelixPlayer.

Probably all kernels 2.6 and 2.4 are affected (I only checked 2.6.7 & 2.6.5).

Reproducible: Always
Steps to Reproduce:
1. Run a script like the following:
while [ 1 ];do
        ps ax | grep huioip >> TEST
done
2. While the script is running, do "watch -n 30 grep -c \= TEST"
3. Let the script run until grep finds a matching line. This may easily need more than 10,000 iterations.

Actual Results:  
If you check the file TEST, you will see at least one line in which the 
expected output is followed by environment variables. The amount of leaked 
data may vary.

------- Comment #1 From Marc Ballarin 2004-08-09 15:16:27 0000 ------- 
Created an attachment (id=37124) [details]
Patch devised by Roger Luethi (already included in -mm kernels)

------- Comment #2 From Tim Yamin (RETIRED) 2004-08-09 15:32:27 0000 ------- 
Created an attachment (id=37125) [details]
2.4 Patch

------- Comment #3 From Greg Kroah-Hartman 2004-08-09 15:40:19 0000 ------- 
Created an attachment (id=37126) [details]
Full patch from the -mm tree

------- Comment #4 From Greg Kroah-Hartman 2004-08-09 16:10:57 0000 ------- 
gentoo-dev-sources-2.6.7-r13 has this fix in it.

------- Comment #5 From Guy Martin 2004-08-09 16:34:29 0000 ------- 
I just applied it on hppa. (yay I'm the fastest one this time :)

------- Comment #6 From Andrea Luzzardi 2004-08-09 17:13:18 0000 ------- 
Fixed on hardened-sources-2.4.26-r6 (x86)
Fixed on hardened-sources-2.4.27-r1 (~x86)

------- Comment #7 From solar 2004-08-09 19:33:55 0000 ------- 
grsec-sources-2.4.27.2.0.1-r1.ebuild patched and tested on behalf of the 2.4.x
users. All works as expected.

------- Comment #8 From Tim Yamin (RETIRED) 2004-08-09 19:56:17 0000 ------- 
All done, the following are left to their relevant maintainers:

hardened-dev-sources: Adding hardened herd.
mips-sources: Adding Kumba to the CC list.
openmosix-sources: Adding cluster herd.
{pegasos(-dev), ppc}-sources: Adding dholm.
rsbac-(dev-)sources: Adding kang.
selinux-sources: Adding pebenito.
sparc-sources: Adding Joker and the Gentoo/SPARC team.

------- Comment #9 From Brandon Hale (RETIRED) 2004-08-09 20:23:00 0000 ------- 
hardened-dev-sources patched, removing hardened herd

------- Comment #10 From Konstantin Arkhipov 2004-08-10 00:11:18 0000 ------- 
done for openmosix-sources

------- Comment #11 From Guillaume Destuynder (RETIRED) 2004-08-10 03:02:30 0000 ------- 
all done for rsbac-(dev-)sources

------- Comment #12 From Joshua Kinard 2004-08-11 02:49:08 0000 ------- 
mips-sources all patched up.

------- Comment #13 From David Holm (RETIRED) 2004-08-13 03:17:15 0000 ------- 
after struggling with some odd patch errors for a couple of days
pegasos-dev-sources is finally done.. {pegasos,ppc}-sources are no longer
available

------- Comment #14 From Chris PeBenito 2004-08-13 20:12:08 0000 ------- 
selinux-src fixed

------- Comment #15 From Christian Birchinger 2004-08-13 20:38:09 0000 ------- 
sparc-sources 2.4.27-r1 are fixed.

------- Comment #16 From Tim Yamin (RETIRED) 2004-08-26 04:50:09 0000 ------- 
GLSA 200408-24.

------- Comment #17 From Daniel Drake 2004-10-11 16:05:03 0000 ------- 
FYI this patch is present in 2.6.9-rc4

------- Comment #18 From Tim Yamin (RETIRED) 2004-12-18 17:26:50 0000 ------- 
*** Bug 74463 has been marked as a duplicate of this bug. ***
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug