oss-sec mailing list archives
overly broad IPC details sharing on Linux Kernel?
From: Marcus Meissner <meissner () suse de>
Date: Mon, 18 Dec 2017 16:27:02 +0100
Hi, spotted by one of our customers... shmctl(id, IPC_STAT, &buf) returns the STAT information _only_ if the calling user has read-access to the "id" shared memory segment. However, the proc entries in /proc/sysvipc/shm return the entries for all users shared memory segments, even if there is no read permission. There is a bit of information leakage in the access times, but I currently do not see any direct exploitability. Regardless ... should the /proc/sysvipc/* files be restricted? Ciao, Marcus
Current thread:
- overly broad IPC details sharing on Linux Kernel? Marcus Meissner (Dec 18)