A /proc/PID/mem vulnerability [LWN.net]

By Jake Edge
January 25, 2012

A privilege escalation in the kernel is always a serious threat that leads kernel hackers and distributions to scramble to close the hole quickly. That's exactly what happened after a January 17 report from Jüri Aedla to the closed kernel security mailing list. But most people didn't learn of the hole from Aedla (since he posted to a closed list), but instead from Jason Donenfeld (aka zx2c4) who posted a detailed look at the flaw on January 22. The fix was made by Linus Torvalds and went into the mainline on January 17, though with a commit message that obfuscated the security implications—something that didn't sit well with some.

The problem and exploit

The problem itself stems from the removal of the restriction on writes to /proc/PID/mem that was merged for the 2.6.39 kernel. It was part of a patch set that was specifically targeted at allowing debuggers to write to the memory of processes easily via the /proc/PID/mem file. Unfortunately, it left open a hole that Aedla and Donenfeld (at least) were able to exploit.

The posting by Donenfeld is worth a read for those interested in how exploits of this sort are created. The problem starts with the fact that the open() call for /proc/PID/mem does no additional checking beyond the normal VFS permissions before returning a file descriptor. That will prove to be a mistake, and one that Torvalds's fix remedies. Instead of checks at open() time, the code would check in write() and only allow writing if the process being written to is the same as the process doing the writing (i.e. task == current).

That restriction seems like it would make an exploit difficult, but it can be avoided with an exec() and coercing the newly run program to do the writing to itself. That will be dangerous if the newly run program is a setuid executable for example. But there is another test that is meant to block that particular path, by testing that current->self_exec_id has the same value as it did at open() time. self_exec_id is incremented every time that a process does an exec(), so it will definitely be different after executing the setuid binary. But, since it is simply incremented, one can arrange (via fork()) to have a child process with the same self_exec_id as the main process after the setuid exec() is done.

The child with the "correct" self_exec_id value (which it gets by doing an exec()) can then open the parent's /proc/PID/mem file (since there are no extra checks on the open()) and pass the descriptor back to the parent via Unix sockets. The parent then needs to arrange that the setuid executable writes to that file descriptor once a seek() to the proper address has been done. Finding that proper address and getting the binary to write to the fd are the final pieces of the puzzle.

Donenfeld's example uses su because it is not compiled as a position-independent executable (PIE) for most distributions, which makes it easier to figure out which address to use. He exploits the fact that su prints an error message when it is passed an unknown username and the error message helpfully prints the username passed. That allows the exploit to pass shellcode (i.e. binary machine language that spawns a shell when executed) as the argument to su.

After printing the error message, su calls the exit() function (really exit@plt), which is what Donenfeld's exploit overwrites. It finds the address of the function using objdump, subtracts the length of the error message that gets printed before the argument, and seeks the file to that location. It uses dup2() to connect stderr to the /proc/PID/mem file descriptor and execs su "shellcode".

In pseudocode, it might look something like this:

    if (!child && fork()) {  /* child flag set based on -c */
        /* first program invocation, this is parent, wait for fd from child */
	fd = recv_fd();  /* get the fd from the child */
	dup2(2, 15);
	dup2(fd, 2);  /* make fd be stderr */
	lseek(fd, offset);  /* offset to overwrite location */
	exec("/bin/su", shellcode);  /* will have self_exec_id == 1 */
    }
    else if (!child) {
        /* this is the child from the fork(), exec with child flag */
        exec("thisprog", "-c");  /* this program with -c (child) */
    }
    else {
        /* child after exec, will have self_exec_id == 1 */
        fd = open("/proc/PPID/mem", O_RDWR); /* open parent PID's mem file */
        send_fd(fd);  /* send the fd to the parent */
    }

Of course Aedla's proof-of-concept or Donenfeld's exploit code are likely to be even more instructive.

It's obviously a complicated multi-step process, but it is also a completely reliable way to get root privileges. Updates to Donenfeld's post show exploits for distributions like Fedora that do build su as a PIE, or for Gentoo where the read permissions on setuid binaries have been removed so objdump can't be used to find the address of the exit function. For Fedora, gpasswd can be substituted as it is not built as a PIE, while on Gentoo, ptrace() can be used to find the needed address. While it was believed that address space layout randomization (ASLR) for PIEs would make exploitation much more difficult, that proved to be only a small hurdle, at least on 32-bit systems.

The fix and reactions

The fix hit the mainline without any coordination with Linux distributions. Kees Cook, who works on ChromeOS security (and formerly was a member of the Ubuntu security team), told LWN that Red Hat has a person on the closed kernel security mailing list, so it was aware of the problem but did not share that information on the Linux distribution security list. "I've been told this will change in the future, but I'm worried it will be overlooked again", he said. The first indication that other distributions had was likely from Red Hat's Eugene Teo's request for a CVE on the oss-security mailing list.

As Cook points out, the abrupt public disclosure of the bug (via a mainline commit) runs counter to the policy described in the kernel's Documentation/SecurityBugs file, where the default policy is to leave roughly seven days between reports to the mailing list and public disclosure to allow time for vendors to fix the problem. Cook is concerned that bugs reported to security@kernel.org are not being handled reasonably:

The current behavior of security@kernel.org harms end users, harms distros, and harms security researchers, all while ignoring their own published standards of notification. I have repeatedly seen the security@kernel.org list hold a double-standard of "it is urgent to publish this security fix" and "it's just a bug like any other bug". If it were just a bug, there should be no problem in delaying publication. If it were an urgent security fix, all the distros should be notified.

The "just a bug" refers to statements that Torvalds has made over the years about security bugs being no different than any other kind of bug. In email, Torvalds described it this way:

To me, a bug is a bug. Nothing more, nothing less. Some bugs are critical, but it's not about some random "security" crap - it could be because it causes a machine to crash, or it could be because it causes some user application to misbehave.

In keeping with that philosophy, Torvalds does not disclose the security relevance of a fix in the commit message: "I think the whole 'mark this patch as having security implications' is pure and utter garbage". Even if there is a known security problem that is being fixed, his commit messages do not reflect that, as with the message for the /proc/PID/mem fix:

Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very robust, and it also doesn't match the permission checking of any of the other related files.

This changes it to do the permission checks at open time, and instead of tracking the process, it tracks the VM at the time of the open. That simplifies the code a lot, but does mean that if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM.

Torvalds's commit message stands in pretty stark contrast to Aedla's report to security@kernel.org (linked above):

I have found a privilege escalation vulnerability, introduced by making /proc/<pid>/mem writable. It is possible to open /proc/self/mem as stdout or stderr before executing a SUID. This leads to SUID writing to it's own memory.

This "masking" of the actual reason for a commit doesn't site well with either Cook or Teo (who also responded to an email query). Cook "cannot overstate how much I am against this kind of masking", while Teo pointed out that this particular bug is in no way unique:

There are many kernel vulnerabilities that were fixed silently in the upstream kernel. This is not the first one, nor will be the last one I'm afraid.

Both Teo and Cook were in agreement that disclosing what is known about a fix at the time it is applied can only help distributions and others trying to track kernel development. Torvalds, on the other hand, is concerned about attackers reading commit messages, which could lead to more attacks against Linux systems. He has a well-known contempt for security "clowns" that seems to also factor into his reasoning:

So I just ignore the idiots, and go "fix things asap, but try not to help black hats". No games, no crap, just get the damn work done and don't make a circus out of it.

Both the security camps hate me. The full disclosure people think I try to hide things (which is true), while the embargo people think I despise their corrupt arses (which is also true).

The strange thing is that by explicitly not putting the known security implications of a patch into the commit message, Torvalds is treating security bugs differently. They are no longer "just bugs" because some of the details of the bug are being purposely omitted. That may make it difficult for "black hats"—though it would be somewhat surprising if it did—but it definitely makes it more difficult for those who are trying to keep Linux users secure. Worse yet, it makes it more difficult down the road when someone is looking at a commit (or reversion) in isolation because they may miss out on some important context.

Silent security fixes are a hallmark of proprietary software, and Torvalds's policy resembles that to some extent. It could be argued (and presumably would be by Torvalds and others) that the fixes aren't silent since they go into a public repository and that is true—as far as it goes. By deliberately omitting important information about the bug, which is not done for most or all other bugs, perhaps they aren't so much silent as they are "muted" or, sadly, "covered up". There is definitely a lot of validity to Torvalds's complaints about the security "circus", but his reaction to that circus may not be in the best interests of the kernel community either.

(Log in to post comments)

Editorial section?

Posted Jan 25, 2012 23:56 UTC (Wed) by raven667 (subscriber, #5198) [Link]

I think this is well within the best standards of journalistic integrity and is not an opinion piece by the author although the second half is reporting on the opinions of others which may have confused you.

Editorial section?

Posted Jan 26, 2012 0:09 UTC (Thu) by nevets (subscriber, #11875) [Link]

Maybe it's because I've had too many "beer conversations" with Jake, that I read into what he writes a bit too much ;-)

Seriously though, I didn't look at the author of the article as I read it. As I was more than half way down, I was thinking "hmm, this has the sound of Jake's opinions", and then I scrolled back up, and sure enough it was him.

Editorial section?

Posted Jan 26, 2012 0:13 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

i find it perfectly reasonable to describe a coverup of this magnitude and importance as 'sad' (i'm pretty sure i have used much stronger words in the past myself ;). but perhaps you can show a counter example where this kind of behaviour is not sad but a good thing? and if you think that this coverup (which somewhat ironically has already become a much bigger circus than what he so despises) is in the best interest of the kernel community, and let's not forget the users, then i'd like to hear your justification for it, as in, what do you/they gain by this (certainly no praise as i'm sure you're aware of the past flamewars ;).

Editorial section?

Posted Jan 26, 2012 0:42 UTC (Thu) by nevets (subscriber, #11875) [Link]

I guess the question is, was it really a cover up? As I read what Linus wrote in the commit log, where he mentions both "/proc/<pid>/mem" and "doesn't match the permission checking" as well as "if you hold the file descriptor open over an execve(), you'll continue to read from the _old_ VM", that to me reads security vulnerability all over it.

He mentioned this as a bug fix, not a security fix. Does he really need to specify "this fixes a privilege escalation vulnerability"? Some say yes, some say no, but both choices are *opinions*!

Actually, what was left out of the article is more damning to Torvalds than what was in the article. I just read the full commit log, and if anything, this part I would consider the most incriminating against him:

"If somebody actually finds a load where this matters, we'll need to revert this commit"

One would not want to revert a commit that is a security fix. And even Linus stated that once.

I'm friends with Jake, and have had many a beer with him discussing lots of topics. As I read this article, I could hear his opinion slipping into what he wrote. Maybe, it's just me. Jake's a good guy, but he also human (that's a strike against us all). I was just stating that this article seemed to have a little more opinion in it than in other articles.

Still, I find Jake's writing superb.

Editorial section?

Posted Jan 26, 2012 1:12 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> I guess the question is, was it really a cover up?

that's easy to answer. using your example, you're saying that it is a matter of opinion whether a security fix says 'security fix' or just 'fix'. by that logic it is also a matter of opinion whether a filesystem corruption fix simply says 'filesystem corruption fix' or 'fix'. we know from existing commits that this opinion thing favours the first kind of description for filesystem corruptions. why does the same opinion favour the second kind then for security fixes? isn't a bug a bug after all? and let's not forget that security bugs (e.g., memory corruption ones) can very well cause filesystem corruption, one would think that they would at least be described as such in the commit, but not even that happens. inquiring minds would like to know the reason for these seemingly inconsequential decisions ;).

> One would not want to revert a commit that is a security fix.

i don't think he said everything he wanted to. my guess is that he would have continued with '...and fix it another way' but that would have given away even more hints as to the severity of the situation (it would have shown that one way or another, something really truly must be done here whereas a casual 'we will revert if needed' will make the less observative reader think that 'ok, nothing really important is going on here, at most i will see a revert in the coming days').

Editorial section?

Posted Jan 26, 2012 1:26 UTC (Thu) by nevets (subscriber, #11875) [Link]

If somebody actually finds a load where this matters, we'll need to revert this commit

I'm surprised someone didn't respond to this saying:

"Hey! My rootkit no longer works. Please revert this commit."

Editorial section?

Posted Jan 26, 2012 17:30 UTC (Thu) by nix (subscriber, #2304) [Link]

You think you're joking, but I've been on one site, nameless to protect the guilty, where the sysadmins did not (for stupid political reasons) have the ability to change the password, and had long forgotten what that password was, and where auditors forbade the installation of additional privileged binaries -- so, rather than use sudo or something like that, they kept an exploit binary around to give them a root shell 'because it works as long as we don't upgrade the kernel'.

(I pointed out how stunningly unwise this was, and was told that this was the way they'd always done it and they weren't going to change.)

Editorial section?

Posted Jan 26, 2012 0:30 UTC (Thu) by jake (editor, #205) [Link]

> Jake, this article has a bit more "opinion" in it than just the facts.

I think it is not uncommon for our articles to offer an opinion, so long as it's clearly separated from the factual part. I think this is. And, no, I'm not at all comfortable with seeing information on bugs covered up. I can't really see any upside at all.

jake

Editorial section?

Posted Jan 26, 2012 0:45 UTC (Thu) by nevets (subscriber, #11875) [Link]

Yeah, I could read that you were uncomfortable with this.

We'll have to discuss it over a beer at ELC in a few weeks ;-)

Editorial section?

Posted Jan 26, 2012 16:07 UTC (Thu) by emk (guest, #1128) [Link]

I appreciate LWN's mix of facts and analysis, even on those rare occasions where I disagree with your analysis. You're usually pretty clear about which is which, and you make an effort to get the facts right.

Please keep up the good work. :-)

Editorial section?

Posted Feb 1, 2012 23:01 UTC (Wed) by liljencrantz (subscriber, #28458) [Link]

A value LWN both for it's unbiased reporting of facts and for it's well reasoned opinions, but (as you say) they must be clearly separated. Unfortuatly, while I happen to agree with your opinion i this case, I kind of feel you kind got it mixed into the facts. The two last paragraphs are clearly opinion, but I could feel the article leading up to that opinion just a few paragraphs into the «The fix and reactions» section, and it seems I'm not the only one.

Remaining completely neutral in situations where you have a strong opinion is (in my opinion) impossible, but I urge you to keep trying.

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 8:53 UTC (Thu) by danielpf (subscriber, #4723) [Link]

Between Torvald's attitude to not elaborate on security bugs and the security expert attitude to fully explain the bugs rather sooner than later, an intermediate attitude should be to comment security bugs gradually in depth once the patches have been applied to a reasonable fraction of users. LWN editorials do a great contribution in this direction. Not commenting bugs prevent developers to learn on the long term, and commenting bugs too early damages Linux security reputation.

A /proc/PID/mem vulnerability

Posted Jan 31, 2012 5:45 UTC (Tue) by malor (subscriber, #2973) [Link]

and commenting bugs too early damages Linux security reputation.

A better summation would be tells the truth, and we can't have users knowing the TRUTH, because they might not use Linux.

Much, much better to lie to them, to get users to use your code.

Well, better for you, anyway.

A /proc/PID/mem vulnerability

Posted Jan 31, 2012 5:48 UTC (Tue) by malor (subscriber, #2973) [Link]

I mean, that's the Catholic Church approach to computer security -- the reputation of the ~~church~~ kernel is much, more more important than protecting ~~children~~ users.

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 11:24 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> Your article has a major error [...]

does it? let's see the timeline:

1. original bugreport: Tue, 17 Jan 2012 07:38:51 +0200
2. Linus' commit: Tue, 17 Jan 2012 23:21:19 +0000 (15:21 -0800)
3. Eugene's mail on oss-sec: Wed, 18 Jan 2012 10:25:55 +0800
4. CVE assigned by Kurt: Tue, 17 Jan 2012 19:30:33 -0700
5. Red Hat bugzilla #782681: 2012-01-18 02:09:22 EST
6. Fedora fix by Josh Boyer: Wed, 18 Jan 2012 15:08:53 +0000 (10:08 -0500)
7. Kees' mail on oss-sec: Wed, 18 Jan 2012 12:43:28 -0800
8. Kees' mail on the 'secret' vendor list: Thu, 19 Jan 2012 00:06:50 -0800

you're saying that something else happened between 2 and 3 on linux-distros? evidence wants to be seen! i'm also wondering how Eugene had gotten wind of the security related impact of the commit before anyone else did.

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 14:11 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> Well, kernels are more painful to upgrade than most other software
> (since you pretty much have to reboot).

well, there is ksplice...

> If someone is malicious and knows about what's going on in advance,
> you're stuffed whatever Linus chooses to write in the commit message.

blackhats don't work based off the fix, they work based on the original commit that *introduces* the bug, weeks/months/years before the fix happens (if it happens at all, there's always 0-day out there). and for the people who do work based off the fix, this very bug and its fix is proof that no amount of coverup helps: there're already at least 4 public and 2 private exploits out there for it that i know of. what was the point of the coverup then? it most definitely failed to achieve the goal of "try not to help black hats".

> There are a *lot* of patches going into the kernel each day: without
> a "OOH LOOK, THIS IS FOR HAXXORS" message

at this point *any* commit from Linus directly referencing a non-public message is an immediate red flag. he has achieved the exact opposite he wished for.

> [...]I find it hard to believe that staring at kernel commits is a good way to find vulnerabilities.

(un)fortunately, blackhats don't share your belief. remember http://seclists.org/fulldisclosure/2010/Sep/268 ?

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 20:06 UTC (Thu) by vonbrand (subscriber, #4458) [Link]

Oh, come on. "There is a exploit out for a widely-discussed security bug" is not the same as "there is an expoit out there for each and every security bug." As long as you can't reasonably know if to publish any hint of possible security impact or just keep it quiet is the better course of action.

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 22:34 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> "There is a exploit out for a widely-discussed security bug" is not the
> same as "there is an expoit out there for each and every security bug."

strawman and also an irrelevant tautology.

> As long as you can't reasonably know if to publish any hint of possible
> security impact or just keep it quiet is the better course of action.

real life says that you can reasonably know that there's an entire industry, both visible and invisible, out there that is watching and writing exploits as soon as they can get their hands on a bug, be that at bug commit time or later (the sooner the better as the value of 0-day beats anything else).

on the other hand the best course of action for users of said buggy code to save themselves is to fix the bugs (yes, i'm stating this myself despite being deeply involved in intrusion prevention technologies). for that they need to know about them, simple as that. covering up security fixes is diametrically opposite to that goal as it makes it much harder for users to reverse engineer the information from the commits whereas said industry has the brainpower to see through these silly attempts (as i said above, commits from Linus and certain other individuals draw immediate attention these days, witness what happened to this /proc/pid/mem bug).

btw, if you think keeping quiet about security impact information is the right course of action, what do you think about companies (linux vendors included) who do exactly that?

PS: i'm glad you stopped doubting that there *is* a coverup. you've come a long a way ;).

A /proc/PID/mem vulnerability

Posted Jan 26, 2012 23:01 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

> [...]who do exactly that?

err, i obviously meant 'who do exactly the opposite' ;).

A missed point

Posted Jan 28, 2012 0:50 UTC (Sat) by neilbrown (subscriber, #359) [Link]

This is undoubtedly true.

As a general rule, many commit messages are not as informative as they could be or should be. Andrew Morton regularly rants about this. I personally find that writing a good commit message helps me find problems with the commit often enough that it is clearly worth while. It seems that others don't :-(

So commit messages don't guarantee anything, and they could certainly be better.

But that doesn't excuse removing security related information from commit messages, or deliberately leaving it out. We should always include anything useful that we know. We cannot justify leaving info out because some other commit message doesn't have that kind of info.

So sure: if people only back-port commits which say "bug fix" or "security issue" in the commit message, then they are being foolish. But it is not our place (or Linus' place) to stop people from being foolish.

It *is* our place to make the code and the code-history as easy to understand and maintain as possible.

A missed point

Posted Jan 28, 2012 0:54 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]

Linus' argument isn't about being secure/insecure by selectively backporting patches per se (it's not a boolean property) but whether one's more or less secure/insecure by doing selective backporting or just flowing with his git HEAD. by covering up security fixes he effectively makes that choice for everyone, and that doesn't fly well with people who believe they know better (by virtue of not providing kernels based on his git HEAD to their users, which i believe covers about 99.99999% of all linux users).

A missed point

Posted Feb 9, 2012 11:45 UTC (Thu) by kevinm (guest, #69913) [Link]

In particular, *any* wild pointer write or use-after-free bug in any random driver should be considered a security bug.