Re: capget() overflows buffers.

From: Chris Wright
Date: Thu May 22 2008 - 16:54:40 EST

Next message: Alan Cox: "[PATCH] mmtimer: Push BKL down into the ioctl handler"
Previous message: Alan Cox: "[PATCH] ip2: Push BKL down for the firmware interface"
In reply to: Chris Wright: "Re: capget() overflows buffers."
Next in thread: Andrew G. Morgan: "Re: capget() overflows buffers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Chris Wright (chrisw@xxxxxxxxxxxx) wrote:
> Yes, this thing is broken.

Andrew, I think this should be considered a serious problem. The
interface ABI is stable for old programs, and fine for anything new
or old that's using libcap. But the API has changed subtly (taking a
pointer to a blob, to a pointer to an array of blobs), and is easily
broken for programs recompiled against new headers not using libcap.

For the squid issue at least it does capget/capset, so it's likely to
write back in capset the caps it got in capget (when it doesn't hit
glibc heap overflow protection).

But bind, for example, could have garbage in the upper 32bits on a 64bit
caps system that does not HAVE_LIBCAP:

(Note: snipped it down to make it readable, removed some ifdef
HAVE_LIBCAP, etc)

linux_setcaps(cap_t caps) {
struct __user_cap_header_struct caphead;
struct __user_cap_data_struct cap; <-- just one set of u32s
<snip>
memset(&caphead, 0, sizeof(caphead));
caphead.version = _LINUX_CAPABILITY_VERSION; <-- v2
caphead.pid = 0;
memset(&cap, 0, sizeof(cap));
cap.effective = caps;
cap.permitted = caps;
cap.inheritable = 0; <-- fill in just that set
<snip>
if (syscall(SYS_capset, &caphead, &cap) < 0) {
^^^ kernel pulls 2 sets of
u32s, send is just junk from
stack

For the squid case that Bojan described:
(Note: snipped it down again)

restoreCapabilities(int keep)
{
cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t));
cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t));
head->version = _LINUX_CAPABILITY_VERSION;
if (capget(head, cap) != 0) {
<snip>
head->pid = 0;
cap->inheritable = 0;
cap->effective = (1 << CAP_NET_BIND_SERVICE);
<snip>
if (!keep)
cap->permitted &= cap->effective;
if (capset(head, cap) != 0) {

I don't see a nice solution, short reverting, and adding a new set of
syscalls to support 64-bit.

thanks,
-chris
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "[PATCH] mmtimer: Push BKL down into the ioctl handler"
Previous message: Alan Cox: "[PATCH] ip2: Push BKL down for the firmware interface"
In reply to: Chris Wright: "Re: capget() overflows buffers."
Next in thread: Andrew G. Morgan: "Re: capget() overflows buffers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]