Re: [link@miggy.org: Re: [patch 2/8] personality: fix PER_CLEAR_ON_SETID
(CVE-2009-1895)]
[Posted July 21, 2009 by corbet]
| From: |
| Linus Torvalds <torvalds-AT-linux-foundation.org> |
| To: |
| Athanasius <link-AT-miggy.org> |
| Subject: |
| Re: [link-AT-miggy.org: Re: [patch 2/8] personality: fix PER_CLEAR_ON_SETID
(CVE-2009-1895)] |
| Date: |
| Sun, 19 Jul 2009 12:27:05 -0700 (PDT) |
| Message-ID: |
| <alpine.LFD.2.01.0907191219230.13838@localhost.localdomain> |
| Cc: |
| Julien TINNES <jt-AT-cr0.org>,
linux-kernel <linux-kernel-AT-vger.kernel.org>,
Greg KH <gregkh-AT-suse.de>,
Tavis Ormandy <taviso-AT-sdf.lonestar.org>,
Christoph Hellwig <hch-AT-infradead.org>,
Kees Cook <kees-AT-ubuntu.com>, Eugene Teo <eugene-AT-redhat.com> |
| Archive‑link: | |
Article |
On Sun, 19 Jul 2009, Athanasius wrote:
>
> And it's that "as long as we ..." that still bothers me. I've *never*
> had any need for any use of this personality feature and this net/tun.c
> exploit has proven there can be security gotchas with it.
I do agree. Some of those features may not be worth the cost.
That said, this particular feature made sense at the time it was
implemented. Some people really _did_ care about running SVR4 binaries on
Linux. There was a time when it was seen as a feature, and important
enough to work with. So that "map a zero page at NULL" was an important
thing that we wanted such binaries to be able to depend on.
These days? We could probably get rid of that idiotic feature. It's simply
not important enough any more. Does anybody really care? At the same time,
over years we've grown _other_ personality flags, and some of them are
still relevant.
Some binaries are unhappy with address space randomizations. Sometimes
it's because of outright bugs (that just were hidden by non-randomized VM
layout) - but that doesn't really help, does it? If you depend on that
binary, as a user you want the ability to say "run this binary in a mode
where it works".
Other binaries are unhappy with address space randomization because they
need to get the absolute maximum contiguous VM space for some big array.
Ok, so that's less of an issue in 64-bit mode, but there really are
programs out there that link everything statically and want to run at a
low virtual address so that they can get 2.5GB of virtual memory for one
single big allocation. I've written crap like that myself. I'm not _proud_
of it, but I could easily see that programs like that could be unhappy if
the system wiggles mmap's around for security issues.
So I do agree that we can probably get rid of some really dated
personality bits. But I don't think we can really get rid of the concept.
Because compatibility is always of paramount importance.
Linus