{"id":697,"date":"2020-03-26T01:09:09","date_gmt":"2020-03-26T00:09:09","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=697"},"modified":"2020-03-26T01:09:09","modified_gmt":"2020-03-26T00:09:09","slug":"linux-kernel-bug-all-kernels-insufficiently-restrict-exit-signals","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=697","title":{"rendered":"Linux kernel bug &#8211; all kernels insufficiently restrict exit signals"},"content":{"rendered":"\n<p>I&#8217;ve recently spent some time looking at &#8216;exec_id&#8217; counter. Historically, Linux kernel had 2 independent security problems related to that code: <a rel=\"noreferrer noopener\" aria-label=\"CVE-2009-1337 (opens in a new tab)\" href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2009-1337\/\" target=\"_blank\">CVE-2009-1337<\/a> and <a rel=\"noreferrer noopener\" aria-label=\"CVE-2012-0056 (opens in a new tab)\" href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2012-0056\/\" target=\"_blank\">CVE-2012-0056<\/a>.<\/p>\n\n\n\n<p>Until 2012, &#8216;self_exec_id&#8217; field (among others) was used to enforce permissions checking restrictions for \/proc\/pid\/{mem\/maps\/\u2026} interface. However, it was done poorly and a serious security problem was reported, known as &#8220;Mempodipper&#8221; (<a rel=\"noreferrer noopener\" aria-label=\"CVE-2012-0056 (opens in a new tab)\" href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2012-0056\/\" target=\"_blank\">CVE-2012-0056<\/a>). Since that patch, &#8216;self_exec_id&#8217; is not tracked anymore, but kernel is looking at process&#8217; VM during the time of the open().<\/p>\n\n\n\n<p>In 2009 Oleg Nesterov discovered that Linux kernel has an incorrect logic to reset ->exit_signal. As a result, the malicious user can bypass it if it execs the setuid application before exiting (->exit_signal won&#8217;t be reset to SIGCHLD). <a href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2009-1337\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"CVE-2009-1337 (opens in a new tab)\">CVE-2009-1337<\/a> was assigned to track this issue.<\/p>\n\n\n\n<p>The logic responsible for handling ->exit_signal has been changed a few times and the current logic is locked down since Linux kernel 3.3.5. However, it is not fully robust and it&#8217;s still possible for the malicious user to bypass it. Basically, it&#8217;s possible to send arbitrary signals to a privileged (suidroot) parent process.<\/p>\n\n\n\n<p>I&#8217;ve summarized my analysis and posted on LKML:<br><a href=\"https:\/\/lists.openwall.net\/linux-kernel\/2020\/03\/24\/1803\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"https:\/\/lists.openwall.net\/linux-kernel\/2020\/03\/24\/1803 (opens in a new tab)\">https:\/\/lists.openwall.net\/linux-kernel\/2020\/03\/24\/1803<\/a><\/p>\n\n\n\n<p>and kernel-hardening mailing list:<br><a href=\"https:\/\/www.openwall.com\/lists\/kernel-hardening\/2020\/03\/25\/1\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"https:\/\/www.openwall.com\/lists\/kernel-hardening\/2020\/03\/25\/1 (opens in a new tab)\">https:\/\/www.openwall.com\/lists\/kernel-hardening\/2020\/03\/25\/1<\/a><\/p>\n\n\n\n<p>Btw. Kernels 2.0.39 and 2.0.40 look secure \ud83d\ude09<\/p>\n\n\n\n<p>Thanks,<br>Adam<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve recently spent some time looking at &#8216;exec_id&#8217; counter. Historically, Linux kernel had 2 independent security problems related to that code: CVE-2009-1337 and CVE-2012-0056. Until 2012, &#8216;self_exec_id&#8217; field (among others) was used to enforce permissions checking restrictions for \/proc\/pid\/{mem\/maps\/\u2026} interface. However, it was done poorly and a serious security problem was reported, known as &#8220;Mempodipper&#8221; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5,6],"tags":[],"class_list":["post-697","post","type-post","status-publish","format-standard","hentry","category-bughunt","category-exploiting","category-ideas"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=697"}],"version-history":[{"count":7,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/697\/revisions"}],"predecessor-version":[{"id":704,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/697\/revisions\/704"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}