Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability

Dan Yefimov wrote:

> > An unprivileged local user may send arbitrary signal to a child process
> > despite security restrictions.

> I'm not sure this is a real security issue. If some process has the same
> effective UID as the given one, the former can always send any signal to the
> latter. Thus the behaviour you described is IMHO normal.

AIUI, the issue is that the unprivileged process gets to choose the signal.

> If setuid program just
> trusts the environment in that it doesn't properly handle or block signals
> whose default action is terminating the process and doesn't perform it's
> actions in a fail-safe manner, it is certainly broken. Setuid program must
> always be careful in signal handling and data processing.

Ordinarily, a process can assume that certain signals (those which can only be generated by kill()) can only be received as a result of an action by a sufficiently privileged process.

Also, other signals which could be triggered by the predecessor (e.g. SIGALRM triggered due to alarm() followed by exec()) can normally be prevented by specific means (e.g. resetting any outstanding timers). This bug means that such steps are insufficient.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A consequence of this bug is that no signal can be trusted.

Also, if it's possible to set the signal to one which cannot be blocked (SIGKILL, SIGSTOP), there's not much that the callee can do about it.

> From another hand,
> PDEATHSIG should be always reset on exec() like signal handlers are (I'm not
> sure though if that is directly specified by any standard). Please correct me
> if I'm wrong.

prctl() isn't specified by any standard; it's Linux-specific.

That's a significant part of the problem: code which isn't specifically written for Linux isn't going to take steps to mitigate this issue (e.g. reset the parent death signal).

But the suggestion that this should be reset on exec() (at least for a suid/sgid binary) is sound, IMHO.

Moreover, I would suggest that exec()ing a suid/sgid binary should reset *everything* which is not explicitly specified as being preserved.

-- 
Glynn Clements