source-changes: CVS commit: src/sys/kern

Subject: CVS commit: src/sys/kern
To: None <source-changes@NetBSD.org>
From: Elad Efrat <elad@netbsd.org>
List: source-changes
Date: 11/23/2006 13:11:29

Module Name:	src
Committed By:	elad
Date:		Thu Nov 23 13:11:29 UTC 2006

Modified Files:
	src/sys/kern: kern_verifiedexec.c

Log Message:
Document flaw in veriexec_rawchk(). This is what I added to the comment:

 * XXX: This is bogus. There's an obvious race condition between the time
 * XXX: the disk is open for writing, in which an attacker can access a
 * XXX: monitored file to get its signature cached again, and when the raw
 * XXX: file is overwritten on disk.
 * XXX:
 * XXX: To solve this, we need something like the following:
 * XXX:         open raw disk:
 * XXX:           - raise refcount,
 * XXX:           - invalidate fingerprints,
 * XXX:           - mark all entries with "no cache" flag
 * XXX:
 * XXX:         veriexec_verify:
 * XXX:           - if "no cache", don't cache evaluation result
 * XXX:
 * XXX:         close raw disk:
 * XXX:           - lower refcount,
 * XXX:           - if refcount == 0, remove "no cache" flag from all entries


To generate a diff of this commit:
cvs rdiff -r1.69 -r1.70 src/sys/kern/kern_verifiedexec.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.