Process ids again

Posted Jun 7, 2025 19:37 UTC (Sat) by snajpa (subscriber, #73467)
In reply to: Process ids again by donald.buczek
Parent article: Slowing the flow of core-dump-related CVEs

I think if you keep adding more context from /proc/<pid>, you should arrive at sufficiently reliable input for some good enough hash function. Start time of the process can't be changed by the process itself AFAIK. Just that along with the pid could do the trick, IMHO. Save the hash when the task is started, maybe assert that it hasnt changed while doing a dev build shutdown... cca what I would do

Process ids again

Posted Jun 9, 2025 12:14 UTC (Mon) by bluca (subscriber, #118303) [Link] (4 responses)

> Start time of the process can't be changed by the process itself AFAIK. Just that along with the pid could do the trick, IMHO.

It very much doesn't, so-much-so that relying on that combination for uniqueness caused several CVEs in the past. The start time is not granular enough, and attackers are able to cause a PID + start time clash at their leisure. This is why PIDFDs exist, and we use them when we need to uniquely identify processes for any security-relevant reason (and also more and more non-security-relevant too)

Process ids again

Posted Jun 9, 2025 20:10 UTC (Mon) by snajpa (subscriber, #73467) [Link] (3 responses)

Are you able to link simply just a single CVE that proves it isn't sufficient in the real practical world? You know, hash algos are bound to have collisions too, yet we use them. Taking an argument to an extreme isn't helpful.

Besides, how are you going to use pidfds in this specific case you are replying to? Much confidence in your reply, let's see if you can back that confidence up with something.

Process ids again

Posted Jun 9, 2025 20:26 UTC (Mon) by bluca (subscriber, #118303) [Link] (2 responses)

You can start from CVE-2019-6133 and continue from there.

The combination of pidfd inode id plus boot uuid can uniquely identify a process across machines/reboots/everything, so it is suitable for that use case.

Process ids again

Posted Jun 10, 2025 16:11 UTC (Tue) by snajpa (subscriber, #73467) [Link] (1 responses)

I'm gonna solve this by muting you, as your whole reaction is just to prove... you can't read or fit into context of what you're replying to, I can only feel your need to be right every single time we interact here. Context be damned, right...

Process ids again

Posted Jun 10, 2025 16:13 UTC (Tue) by bluca (subscriber, #118303) [Link]

Suit yourself. You asked for a CVE, it's been provided. You asked for a solution for a problem, it's been provided. If you can't handle receiving answers, maybe stop asking questions?