From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
To: "Volker Weißmann" <volker.weissmann@gmx.de>,
"Siddhesh Poyarekar" <siddhesh@gotplt.org>,
libc-alpha@sourceware.org
Subject: Re: [PATCH v3] Fix FORTIFY_SOURCE false positive
Date: Wed, 4 Oct 2023 13:57:42 -0300 [thread overview]
Message-ID: <3484e51b-af95-4f11-8d15-5ec21c0827c0@linaro.org> (raw)
In-Reply-To: <74fc573f-e83e-4383-af94-95f49d9ea1b2@gmx.de>
On 04/10/23 11:43, Volker Weißmann wrote:
> I thought about my patch again...
>
> If an attacker can make the victim-program leak file descriptors, this
> can be used to defeat string fortification.
>
> Since leaking file-descriptors is normally not that bad (normally, it
> cannot lead to anything worse than a DOS), programmers/security auditors
> might be less careful in ensuring that no fd leaks.
>
> It doesn't even have to be a true leak, image if e.g. the attacker
> controls python code that runs inside an interpreter that does some
> sandboxing. Then the attacker could do something like:
>
> with open("/dev/zero") as file1:
> with open("/dev/zero") as file2:
> ...
> with open("/dev/zero") as file1023:
> trigger_formatstring_bug_in_the_python_interpreter()
>
> to break out of the sandbox.
>
> I know I'm being a bit paranoid, but glibc is used *everywhere*.
>
> I think instead of "return 1;" we should do
>
> __libc_fatal ("*** too many open file descriptors ***\n");
>
> instead.
The same if also check for procfs support, meaning that if it is not accessible
the process will start to abort execution. Not sure about what kind of breakage
it would incur, but it should reasonable to abort on both cases since this is
done iff fortify is enabled.
>
>
> On 03.10.23 19:25, Siddhesh Poyarekar wrote:
>> On 2023-10-03 13:18, Volker Weißmann wrote:
>>> When -D_FORTIFY_SOURCE=2 was given during compilation,
>>> sprintf and similar functions will check if their
>>> first argument is in read-only memory and exit with
>>> *** %n in writable segment detected ***
>>> otherwise. To check if the memory is read-only, glibc
>>> reads frpm the file "/proc/self/maps". If opening this
>>> file fails due to too many open files (EMFILE), glibc
>>> will now ignore this error.
>>>
>>> Fixes [BZ #30932]
>>>
>>> Signed-off-by: Volker Weißmann <volker.weissmann@gmx.de>
>>> ---
>>
>> Thanks! LGTM.
>>
>> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
>>
>> Adhemerval, could you please add this with your test case patch and
>> send it as a series? I can then review that too.
>>
>> Thanks,
>> Sid
>>
>>> sysdeps/unix/sysv/linux/readonly-area.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/sysdeps/unix/sysv/linux/readonly-area.c
>>> b/sysdeps/unix/sysv/linux/readonly-area.c
>>> index edc68873f6..ba32372ebb 100644
>>> --- a/sysdeps/unix/sysv/linux/readonly-area.c
>>> +++ b/sysdeps/unix/sysv/linux/readonly-area.c
>>> @@ -42,7 +42,9 @@ __readonly_area (const char *ptr, size_t size)
>>> to the /proc filesystem if it is set[ug]id. There has
>>> been no willingness to change this in the kernel so
>>> far. */
>>> - || errno == EACCES)
>>> + || errno == EACCES
>>> + /* Process has reached the maximum number of open files. */
>>> + || errno == EMFILE)
>>> return 1;
>>> return -1;
>>> }
>>> --
>>> 2.42.0
>>>
next prev parent reply other threads:[~2023-10-04 16:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 17:18 Volker Weißmann
2023-10-03 17:25 ` Siddhesh Poyarekar
2023-10-03 18:13 ` [PATCH] debug: Add regression tests for BZ 30932 Adhemerval Zanella
2023-10-03 18:48 ` Siddhesh Poyarekar
2023-10-04 14:43 ` [PATCH v3] Fix FORTIFY_SOURCE false positive Volker Weißmann
2023-10-04 16:57 ` Adhemerval Zanella Netto [this message]
2023-10-04 17:08 ` Siddhesh Poyarekar
2023-10-04 14:51 ` Andreas Schwab
2023-10-04 15:44 ` Volker Weißmann
2023-10-04 17:36 ` Florian Weimer
2023-10-04 17:45 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3484e51b-af95-4f11-8d15-5ec21c0827c0@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@gotplt.org \
--cc=volker.weissmann@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).