Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2798359ybd; Mon, 24 Jun 2019 12:53:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqz9cq7SqjEoa+9gOqhjHNNv4B6se2dZ96ADFQVJVI4Z7jf2lz87wcxx3J492cS3SU/1idu0 X-Received: by 2002:a17:902:760a:: with SMTP id k10mr130201222pll.83.1561406006116; Mon, 24 Jun 2019 12:53:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561406006; cv=none; d=google.com; s=arc-20160816; b=At33XG12yS39fTzwuG5DeNh2Q0R5Q07Z3P7WAvZUZHkKrNOgG0B2RME+0mZlMvCUl6 3Lje3VmWAyrIKvrS/iiVNTObHvg9UqptNB9j0iuTZqXWWMigcdaO97VO48/rjvRXuBLd IGub9Gslqzve3ppNcRYCZuIstuZh/jPZlUaUdNdZzLaEbXKgwgB+8NrUjyN2DuNZC1OF 8caH7dbUMiPSdUf9QFs7I7itcY8z5NstFQCsLnFKdpTqwAY4/cCelry0i2SZ2QVgWWkx ugFGEIkWVKar2Fb9txIW3yK6oHfWmoYwNYMd9aFDqfFlRFYy+ywrD2Gk1WBumWpn/dtm NasQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=AMA2HAM5GHzbGba8x47+feRyrGzC/8GufLwaBmuBGpI=; b=e5Sq0VEQ5QUrFCnrYBXT6iGYtnFa4EE6sTtZB17pMKhqYCEd4/DWqosLZ+B+s30yDH moUPJfcjAtJ3LkPS0Kb7oyc1goOr/GeJM9K6gNGC6qnjzrKW0vLZ2EdP5kpr8n7TQveA 0pK6ruVYIbWQBfCibPWwrg7ILlx1Iqs9fI8anpKJ4FmJf4VnfZ9Rt9crL/RQWFPm+fLx iHEbMFzCwnuNNejE69ZHbBupX4tg78AUwICPsHcuJ3lIAHAOUNC0/1d32t2eBt1RzXeT wd++JxuHwzLDOX/enOpeO86QscdWbRyWL5GjkSAA25fOW5HYt6tHugjr9s/8xpD3L7Dt YaGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cFi4VKjZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r19si8912574pgk.519.2019.06.24.12.53.10; Mon, 24 Jun 2019 12:53:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cFi4VKjZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731427AbfFXQCA (ORCPT + 99 others); Mon, 24 Jun 2019 12:02:00 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:41739 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730806AbfFXQCA (ORCPT ); Mon, 24 Jun 2019 12:02:00 -0400 Received: by mail-lf1-f65.google.com with SMTP id 136so10453185lfa.8; Mon, 24 Jun 2019 09:01:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=AMA2HAM5GHzbGba8x47+feRyrGzC/8GufLwaBmuBGpI=; b=cFi4VKjZjCmxjO8v4tBxWI7Ea1nJvu9U3IDUVkQnvLY8+cpRzX+obGqM/tRosDuQMV kNAVYQcesAqVtliX5j3bqrmHEoEcXpG++ecm99MOEAW1iSON5my8NvupWBRjr/TjOOvB xP+g/HfL+kbiL4bzfR+xz8dnj8VzNYjpTTAVXoLC49gwygejRxXVyZyFNPGRznx6y0aM HodbAi3fl3M689LBAB1X2SG/ROPB8cHJAfwoSByXoS4XxHozMOcdYAaNOwLFSDIE1hLb 55Kh+ZBhy7qh/JLQNynGXsoIpFWhegQyOyecGSXZmyb4m1fK17XLNmG8R26WF09dCrJv 9MCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=AMA2HAM5GHzbGba8x47+feRyrGzC/8GufLwaBmuBGpI=; b=lVsEnYbIbKosTF/3ecuAqyOGL5uHSEUHy2VdfSp+m4jR7LB2GlGhF+q2eGDBO/+qHo lZu/IfO1mT4wLpN50lB28gm/RrDzQ229Ak6qE5/RBfzTuUbxtS+C5oAk8g8zqQrIDJuw Rfy695kDPahwDjp4GlciTju/wRwcK6x3i4bl+oXUNJYKLxBcv+SVbznzb2UmDo3m7hBJ JCFccOo7KjVsucxEot6y801UHx9KBnbUsvIKB8lbQN2YFdxs/bp3Aq1O0HB01+UGSx10 m7Xw8LVVxBAtbpm94a7aE0U4Uik1cd8nTD2v+FVGBMzUsdnl5rhaO0chxsZXr88Ouar+ qPRg== X-Gm-Message-State: APjAAAWL5P6Er4ECbVdWs2yBn4+WqWXjo3JYVqI6DoFue/RW9rB/eTx0 JH2BJjFdjR6PQN9WIfg/9X6w/p9XtSJhH6RKawp8SA== X-Received: by 2002:ac2:5467:: with SMTP id e7mr52671259lfn.23.1561392117802; Mon, 24 Jun 2019 09:01:57 -0700 (PDT) MIME-Version: 1.0 References: <20190617185815.3949-1-carmeli.tamir@gmail.com> In-Reply-To: <20190617185815.3949-1-carmeli.tamir@gmail.com> From: Tamir Carmeli Date: Mon, 24 Jun 2019 19:01:21 +0300 Message-ID: Subject: Re: [PATCH] fs/binfmt: Changed order of elf and misc to prevent privilege escalation To: viro@zeniv.linux.org.uk, Tamir Carmeli , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I'd appreciate feedback on the patch. Seems like we can solve a stupid "hiding" technique, more "advanced" than just marking an executable with suid, that leads to privilege escalation. Please tell me if I miss something. On Mon, Jun 17, 2019 at 9:58 PM Carmeli Tamir wrote: > > The misc format handler is configured to work in many boards > and distributions, exposing a volnurability that enables an > attacker with a temporary root access to configure the system > to gain a hidden persistent root acces. This can be easily > demonstrated using https://github.com/toffan/binfmt_misc . > > According to binfmt_misc documentation > (https://lwn.net/Articles/679310/), the handler is used > to execute more binary formats, e.g. execs compiled > for different architectures. After this patch, every > mentioned example in the documentation shall work. > > I tested this patch using a "positive example" - running > and ARM executable on an x86 machine using a qemu-arm misc > handler, and a "negative example" of running the demostration > by toffan I mention above. Before the patch both examples > work, and after the patch only the positive example work > where the volnurability is prevented. > > Signed-off-by: Carmeli Tamir > --- > fs/binfmt_elf.c | 2 +- > fs/binfmt_misc.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index d4e11b2e04f6..3a2afe84943c 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -2411,7 +2411,7 @@ static int elf_core_dump(struct coredump_params *cprm) > > static int __init init_elf_binfmt(void) > { > - register_binfmt(&elf_format); > + insert_binfmt(&elf_format); > return 0; > } > > diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c > index b8e145552ec7..f4a9e1154cae 100644 > --- a/fs/binfmt_misc.c > +++ b/fs/binfmt_misc.c > @@ -859,7 +859,7 @@ static int __init init_misc_binfmt(void) > { > int err = register_filesystem(&bm_fs_type); > if (!err) > - insert_binfmt(&misc_format); > + register_binfmt(&misc_format); > return err; > } > > -- > 2.21.0 >