Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp506915yba; Mon, 1 Apr 2019 10:40:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqzYHRzaOhDTmLeu1w18XF8a9eJqqMkFDDC3cjRBwawLUMP983kWws+gfgePhP6rBvlLVSU4 X-Received: by 2002:a17:902:7794:: with SMTP id o20mr18727271pll.189.1554140432062; Mon, 01 Apr 2019 10:40:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554140432; cv=none; d=google.com; s=arc-20160816; b=KCf7hc2Ta4tNYLaaGMO92Iq9yK93qwQPNsJ/ECu7C0Od/+eT682NHHqQ/okb55YeSf /P5rLEemGdmlZnNHZOzW9nkjHjH0AfrnjgTVPtViLcEu/ImKeTqDwrxbu5IvXRsp5y0h PX8Z8TrNEz1D/VKveRDDdRmtqb4V0/w1ODZ0iXJybwEQNdM3zUflO5t34YDFeGOf+K8f ZREEqWY4bOQMfSCNZCRASRcUAaKa5KklO6UN6SR/dw4OetOyCVUck/3EXxIgMdyemFJx WYvIuAiwyPTg9mIjdPcf7/lSEbrrs3Js6GBr4GjUfUz81QjPr+3E0MOdnzKNQGYKLDW/ ph2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=rdrKad1qeNYOeWrfoKFQpcckzxxqR5Lu10aTYt2ezPI=; b=d8qQQdBtKompwc9lXOx413cxHLRm6gz2Hk9XciuDFc+wVJDGDHStI4mgnIkM7fAQSQ 0zhFgKCZL8XyKMBCppeor8rhuqW48s+YbM/knU3CDpAdAalIPw+hSxOGany8vS783yoV EdbIJYv6pEANup/yFchyIrzgt0aemCr99L0uEaMjuAUfBbJkJUzRpRsMlAjOORiaK/wf wdPedwhQjquMiPLnkoei8yJGgjNmAjprToequw6O8/ExUWlLrIsRUUXYY969csFOltu6 emnZB43CDW7Dur0FqEMdFYAhQrOgXDso6HGQVqlK4wXZrACx9IfPSfUanqPwXACboP+F oRog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bS3gWyoR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12si9495063pgk.95.2019.04.01.10.40.16; Mon, 01 Apr 2019 10:40:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bS3gWyoR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388333AbfDARi0 (ORCPT + 99 others); Mon, 1 Apr 2019 13:38:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:51690 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387937AbfDARiY (ORCPT ); Mon, 1 Apr 2019 13:38:24 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1562720896; Mon, 1 Apr 2019 17:38:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554140303; bh=qCmG/Ywjj+TcBBrIdD41dxuMdK871U3kWAAkOW2ZNys=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bS3gWyoRSJuUWopRV1kju3K+X5e7aAkrDgt9KjOSvef1Fwz6eOkLt9+jiZOZ1EiNt ntYF9tr8yn+rB/WikLWQZmpCmG/8seMsKjFbTTvUlCDID7NDigWEef4TMb926Khv+p 3MmyFjariOUmK6UAPnzV/dgdpKYuLMkPd9/uXUNU= Date: Mon, 1 Apr 2019 10:38:21 -0700 From: Eric Biggers To: Johannes Thumshirn Cc: Linux Kernel Mailinglist , Linux FSDEVEL Mailinglist Subject: Re: [PATCH] fs/open: Fix most outstanding security bugs Message-ID: <20190401173820.GE131675@gmail.com> References: <20190401090113.22946-1-jthumshirn@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190401090113.22946-1-jthumshirn@suse.de> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 01, 2019 at 11:01:13AM +0200, Johannes Thumshirn wrote: > Over the last 20 years, the Linux kernel has accumulated hundreds if not > thousands of security vulnerabilities. > > One common pattern in most of these security related reports is processes > called "syzkaller", "trinity" or "syz-executor" opening files and then > abuse kernel interfaces causing kernel crashes or even worse threats using > memory overwrites or by exploiting race conditions. > > Hunting down these bugs has become time consuming and very expensive, so > I've decided to put an end to it. > > If one of the above mentioned processes tries opening a file, return -EPERM > indicating this process does not have the permission to open files on Linux > anymore. > > Signed-off-by: Johannes Thumshirn > --- > fs/open.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/fs/open.c b/fs/open.c > index f1c2f855fd43..3a3b460beccd 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -1056,6 +1056,20 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode) > struct open_flags op; > int fd = build_open_flags(flags, mode, &op); > struct filename *tmp; > + char comm[TASK_COMM_LEN]; > + int i; > + static const char * const list[] = { > + "syzkaller", > + "syz-executor," > + "trinity", > + NULL > + }; > + > + get_task_comm(comm, current); > + > + for (i = 0; i < ARRAY_SIZE(list); i++) > + if (!strncmp(comm, list[i], strlen(list[i]))) > + return -EPERM; > > if (fd) > return fd; > -- > 2.16.4 > I like that this can't be circumvented by changing the process name, because it dereferences a NULL pointer when it gets to the end of the list. However, I'm a bit uneasy with updating just this syscall. I suggest we go farther and just do: diff --git a/init/main.c b/init/main.c index 598e278b46f7..24f4422cb3c9 100644 --- a/init/main.c +++ b/init/main.c @@ -547,6 +547,8 @@ asmlinkage __visible void __init start_kernel(void) char *command_line; char *after_dashes; + return; + set_task_stack_end_magic(&init_task); smp_setup_processor_id(); debug_objects_early_init(); Please also make sure to add a Reported-by line for each one of the 475 open syzbot bug reports, so they get properly closed. Thanks! - Eric