Thanks so much for the response!
For what it's worth, I checked my code again for the correct path, what
I meant was /proc/self/exe which links to the binary of the currently
running process, as far as I understand it.
I'm not sure it's easily possible to write a test program, because the
open() wrapper by the libc on the /proc/self/exe symlink would need to
be intercepted at just the right time in case /proc/self/exe is actually
vulnerable. The breakpoint wouldn't be in the regular user code, might
even be kernel code I guess, depending on where the race condition is
located if it exists. (For FreeBSD a developer told me it supposedly
exists for /proc/curproc/file which is apparently the equivalent,
although that was about two years ago so I don't know if that has
changed since.)
The wrong approach via readlink() on /proc/self/exe and then libc open()
on the resulting path should be easy to intercept and break, but that
doesn't really say much about the question at hand. I guess that this
readlink approach isn't a good idea, even if commonly used, should be
relatively obvious.
Regards,
ellie
On 12/12/23 3:17 PM, Alejandro Colomar wrote:
Dear ellie, Petr,
On Tue, Dec 12, 2023 at 09:47:58AM +0100, ellie wrote:
Dear Alejandro Colomar,
I hope I'm emailing this to the correct place, I found this contact
information on https://man7.org/mtk/contact.html regarding man page
feedback:
Yep, this is the correct place.
Petr, Michael retired from maintaining the project a couple of years
ago. As Michael says in <https://www.man7.org/mtk/contact.html>,
reports about the Linux man-pages should be reported to this mailing
list, following the ./CONTRIBUTING file
<https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING>.
I'm suggesting that the "man 5 proc" page is expanded with a section
I've recently splitted the proc(5) page into many small pages, one for
each file or directory. You may want to check the current manual pages.
You can do that by reading directly from the repository, or by reading
the PDF book (thanks to Deri James, from gropdf(1), for contributing the
scripts to produce the book).
To check the book as of the latest commit in git HEAD, you can check
<https://www.alejandro-colomar.es/share/dist/man-pages/git/HEAD/man-pages-HEAD.pdf>
You will probably want to check proc_self(5) --which is a link page; the
text is actually in proc_pid(5)--. proc(5) still contains some small
mention of /proc/self, so you'll want to check that too.
clarifying /proc/[pid]/self
You probably mean /proc/self/, or /proc/[pid]/.
race conditions, I described details and even
made a text suggestion here:
https://bugzilla.suse.com/show_bug.cgi?id=1216352
After seeing the suggestion, you'll want to check proc_pid_exe(5):
<https://www.alejandro-colomar.es/share/dist/man-pages/git/HEAD/man-pages-HEAD.pdf#proc_pid_exe.5>
You could add a CAVEATS section in that page. Please write also a test
program that reproduces the race condition, and another one which
demonstrates how your solution doesn't. Those test programs will be
useful to include in the commit message.
(The text suggestion might be wrong, however, since I don't actually know
what the exact technical state of this is.)
It looks good. With a small example program that demonstrates it,
you'll be able to answer your doubts. ;-)
Have a lovely day!
Alex
