>Number:         19957
>Category:       kern
>Synopsis:       systrace makes bad assumptions that break down in LWP universe
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 20 10:20:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Jason R Thorpe
>Release:        NetBSD 1.6M
>Organization:
Wasabi Systems, Inc.
>Environment:
	
	
>Description:
	The systrace framework makes some bad assumptions about processes
	that no longer hold true in the LWP/SA universe.  In particular,
	it implicitly assumes the kernel has only one scheduling entity
	for the entire process (which was the case before the nathanw_sa
	branch was merged).

	An attack could theoretically make use of the syscall argument
	rewriting method to undo syscall argument filtering.

	Of greater concern, however, is the "privelege elevation" code,
	which could cause another LWP in the same process to run with
	higher priveleges unintentionally while the intended LWP also
	has the elevated priveleges.

>How-To-Repeat:
	
>Fix:
	One possible fix to the privelege elevation issue is to allow an
	LWP to reference an LWP-private creds structure while using PE.

	Another fix might be to suspend execution of all other LWPs while
	one is using PE.  This could have significant performance penalties,
	however.
>Release-Note:
>Audit-Trail:
>Unformatted: