<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:mark@klomp.org" title="Mark Wielaard <mark@klomp.org>"> <span class="fn">Mark Wielaard</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - systemd-coredump can run elfutils as root"
href="https://bugs.freedesktop.org/show_bug.cgi?id=87354">bug 87354</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>mark@klomp.org
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - systemd-coredump can run elfutils as root"
href="https://bugs.freedesktop.org/show_bug.cgi?id=87354#c4">Comment # 4</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - systemd-coredump can run elfutils as root"
href="https://bugs.freedesktop.org/show_bug.cgi?id=87354">bug 87354</a>
from <span class="vcard"><a class="email" href="mailto:mark@klomp.org" title="Mark Wielaard <mark@klomp.org>"> <span class="fn">Mark Wielaard</span></a>
</span></b>
<pre>I have been thinking a bit about this since some friendly fuzzers helped find
some issues in elfutils. See
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1170810">https://bugzilla.redhat.com/show_bug.cgi?id=1170810</a>
The first thing to do if you are worried about this issue should be upgrading
to elfutils 0.161 which contains lots of hardening patches. See
<a href="https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004481.html">https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-December/004481.html</a>
I think <a href="show_bug.cgi?id=87354#c3">comment #3</a> is mostly correct. The core dump/stacktrace is generated
with the uid of the crashing process. Given that someone could make the process
crash in the first place they could probably do much worse. Trying to then take
advantage of the fact that other code then runs with the same uid seems to be a
lot more work than trying to take advantage of the original way to crash the
process in other ways.
An attack that takes advantage of the fact that a core dumper is running does
need to somehow also trick the core file generated to contain an issue that
triggers a bug in core parsing code. That probably requires a bug in the kernel
code that generates the core data. The core dumper, through elfutils, also
accesses other files, either directly because they were executable files mapped
in the process or indirectly because those files contain build-ids that refer
to separete debuginfo files. Those files will be parsed if addresses on the
call stack refer to the mapped in executable files.
So an attack would require making the process crash, and either triggering a
bug in the kernel that generates core data that is not parsed correctly or
manipulating the (call) stack to contain a reference to mapped in executable
ELF data and/or a build-id reference to a debuginfo file that is under control
of the attacker to trigger an ELF/DWARF parsing bug.
It seems somewhat unlikely that the above is true and the attacker can crash
the process, but not manipulate the process more directly. But it still
couldn't hurt to drop even more priviliges while processing the core data and
generating the backtrace. As long as the original ELF files and debuginfo data
files can be accessed.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>