search

marylinh / seccompsandbox

Automatically exported from code.google.com/p/seccompsandbox
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

Vulnerability in process_sigaction() #6

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Following on from http://codereview.chromium.org/3380018/show and
http://codereview.chromium.org/3414016/show, for the sake of
completeness, I am filing a bug on this.

There is a vulnerability in process_sigaction() in sigaction.cc, which
does the following:

  SecureMem::sendSystemCall(threadFdPub, false, -1, mem, sigaction_req.sysnum,
                            sigaction_req.signum, sigaction_req.action,
                            sigaction_req.old_action,
                            sigaction_req.sigsetsize);

It receives the syscall number sigaction_req.sysnum in a message, but
it passes it on to the trusted thread for execution without checking it.

This means an attacker can execute any syscall with 4 arguments.  The
only constraint is that the first argument cannot be 11.

Original issue reported on code.google.com by mseaborn@chromium.org on 27 Sep 2010 at 1:41

GoogleCodeExporter commented 9 years ago 
Fixed in r125.

Original comment by mseaborn@chromium.org on 11 Nov 2010 at 4:00