From: Wanlong G. <gao...@cn...> - 2012-06-20 08:09:29
|
Since kernel commit bdbb776f changed the permission check from euid to uid, so, we should also change our code to be consistent with it. commit bdbb776f882f5ad431aa1e694c69c1c3d6a4a5b8 Author: Kees Cook <kee...@ch...> Date: Mon Mar 19 16:12:53 2012 -0700 futex: Do not leak robust list to unprivileged process It was possible to extract the robust list head address from a setuid process if it had used set_robust_list(), allowing an ASLR info leak. This changes the permission checks to be the same as those used for similar info that comes out of /proc. Running a setuid program that uses robust futexes would have had: cred->euid != pcred->euid cred->euid == pcred->uid so the old permissions check would allow it. I'm not aware of any setuid programs that use robust futexes, so this is just a preventative measure. Signed-off-by: Wanlong Gao <gao...@cn...> --- .../syscalls/get_robust_list/get_robust_list01.c | 30 ++++++++++------------ 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/testcases/kernel/syscalls/get_robust_list/get_robust_list01.c b/testcases/kernel/syscalls/get_robust_list/get_robust_list01.c index 27c0be6..34d0985 100644 --- a/testcases/kernel/syscalls/get_robust_list/get_robust_list01.c +++ b/testcases/kernel/syscalls/get_robust_list/get_robust_list01.c @@ -152,8 +152,18 @@ int main(int argc, char **argv) tst_resm(TFAIL, "get_robust_list succeeded unexpectedly"); - if (seteuid(1) == -1) - tst_brkm(TBROK|TERRNO, cleanup, "seteuid(1) failed"); + TEST(retval = syscall(__NR_get_robust_list, 0, + (struct robust_list_head **)&head, + &len_ptr)); + + if (TEST_RETURN == 0) + tst_resm(TPASS, "get_robust_list succeeded"); + else + tst_resm(TFAIL|TTERRNO, + "get_robust_list failed unexpectedly"); + + if (setuid(1) == -1) + tst_brkm(TBROK|TERRNO, cleanup, "setuid(1) failed"); TEST(retval = syscall(__NR_get_robust_list, 1, (struct robust_list_head *)&head, @@ -170,20 +180,6 @@ int main(int argc, char **argv) } else tst_resm(TFAIL, "get_robust_list succeeded unexpectedly"); - - if (seteuid(0) == -1) - tst_brkm(TBROK|TERRNO, cleanup, "seteuid(0) failed"); - - TEST(retval = syscall(__NR_get_robust_list, 0, - (struct robust_list_head **)&head, - &len_ptr)); - - if (TEST_RETURN == 0) - tst_resm(TPASS, "get_robust_list succeeded"); - else - tst_resm(TFAIL|TTERRNO, - "get_robust_list failed unexpectedly"); - } cleanup(); @@ -203,4 +199,4 @@ void setup(void) void cleanup(void) { TEST_CLEANUP; -} \ No newline at end of file +} -- 1.7.11.rc0 |