RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 14:47:44 +00:00
Code Issues Activity Actions

ProcFS: Fix /proc/PID/* hardening bypass

Browse source 
This enabled trivial ASLR bypass for non-dumpable programs by simply
opening /proc/PID/vm before exec'ing.

We now hold the target process's ptrace lock across the refresh/write
operations, and deny access if the process is non-dumpable. The lock
is necessary to prevent a TOCTOU race on Process::is_dumpable() while
the target is exec'ing.

Fixes #5270.
This commit is contained in:
Andreas Kling 2021-02-19 09:41:35 +01:00
parent 7142562310
commit 37d8faf1b4
2 changed files with 40 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Kernel/FileSystem/ProcFS.h
View file

@ -114,6 +114,8 @@ private:
KResult refresh_data(FileDescription&) const;
RefPtr<Process> process() const;
ProcFS& fs() { return static_cast<ProcFS&>(Inode::fs()); }
const ProcFS& fs() const { return static_cast<const ProcFS&>(Inode::fs()); }
ProcFSInode(ProcFS&, InodeIndex);