Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4818572ybl; Wed, 22 Jan 2020 05:20:58 -0800 (PST) X-Google-Smtp-Source: APXvYqw45WFFe3gxJOmkMO1EZ+eZ0zgG1aJCsZWwb5oWm72foY9HSHIuGGKLa70JLTjOlznnBZ8g X-Received: by 2002:a05:6830:138b:: with SMTP id d11mr7106948otq.38.1579699258228; Wed, 22 Jan 2020 05:20:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579699258; cv=none; d=google.com; s=arc-20160816; b=zjUljwoQhKgCi2worKGBKhxHLGtScrzgGBq6dAn0CDuWW5pKNOXnMc0XaRDc6O1QQ7 OeF6z++253qP0MxJoJ/YURRSfzrUznJsSHrd7T3yRzTBx6jwILTovY80SzISzLeBcfoT UaWNd8Fppn698og0P2SBSrvPWun/C+kToNm+grrV+r15yQlodXyZ/P41J5BijdSwLwU8 6EVL56CurPcFHnLOPODmjmLViWizgx3CQYlqhtjFmwzS62gUkSjoGe/gUA0nOT/Ws/r+ Y0ZeWwAoojBx4V1GbPv8VVMJMrnLmX/DPZO6fa4DEJHskbQV1CeDp901wQwH/+FybZXz 51CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=geAbF47kPstKYqGGl4PO0juyqyrZKmdNIvYPB/jFp6I=; b=xxWvM8HGZ2Md2wYyBROGQZKP7QN9MmYHblve/UdDrR906YujmZnl5YXBBMLZ8jYx84 M6owFoRHvrdVVQEljomWpsO/FPffx/mCaGvlM004lJGqbNYooaR92zNUrjHTalHBNfCt KMhAES9z944rJhuhftVJPjRmA44vwg+XlB2+Wrnh8F4uqqIEuS9vvN4J1AzwZqOAulSF /4oLm8PRiNhhaPun4L713G006EtWZhchAsqXWHd/nAIu1jQfOo1dQSKs1c7RDqimMyPL 59l57OX6rqzhr+GpVe+6vSYsxPPGDyfFD5NoykMGM8QNJC9efmvxqLL7pL+z4+7YnFPi vkWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="ucJ/yX71"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p5si25616287otk.221.2020.01.22.05.20.46; Wed, 22 Jan 2020 05:20:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="ucJ/yX71"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729619AbgAVNTQ (ORCPT + 99 others); Wed, 22 Jan 2020 08:19:16 -0500 Received: from mail.kernel.org ([198.145.29.99]:35134 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729605AbgAVNTQ (ORCPT ); Wed, 22 Jan 2020 08:19:16 -0500 Received: from localhost (unknown [84.241.205.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C28762467E; Wed, 22 Jan 2020 13:19:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579699155; bh=GEEa6NR9HSN8e3D3Y87CI9rJvtYWBa01gAhwH1ADv00=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ucJ/yX716nbMbmxMjrv4R9U7///BMFxLVbv2AZkesNC0fg3ZfyEqgAIs6jR5P40Uj yiyULHjNc9RsZ6ShcDxj0R5Suwftl0mC8tnAzHwHTT0B4twY1hegthNUEsbBHN0Aiu P5sTtsxG8im5ayehYRiS+o5it/ZvKhSvhbcwIXRI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oleg Nesterov , Eric Paris , Kees Cook , Serge Hallyn , Jann Horn , Christian Brauner Subject: [PATCH 5.4 057/222] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Date: Wed, 22 Jan 2020 10:27:23 +0100 Message-Id: <20200122092837.771519475@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200122092833.339495161@linuxfoundation.org> References: <20200122092833.339495161@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Christian Brauner commit 6b3ad6649a4c75504edeba242d3fd36b3096a57f upstream. Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") introduced the ability to opt out of audit messages for accesses to various proc files since they are not violations of policy. While doing so it somehow switched the check from ns_capable() to has_ns_capability{_noaudit}(). That means it switched from checking the subjective credentials of the task to using the objective credentials. This is wrong since. ptrace_has_cap() is currently only used in ptrace_may_access() And is used to check whether the calling task (subject) has the CAP_SYS_PTRACE capability in the provided user namespace to operate on the target task (object). According to the cred.h comments this would mean the subjective credentials of the calling task need to be used. This switches ptrace_has_cap() to use security_capable(). Because we only call ptrace_has_cap() in ptrace_may_access() and in there we already have a stable reference to the calling task's creds under rcu_read_lock() there's no need to go through another series of dereferences and rcu locking done in ns_capable{_noaudit}(). As one example where this might be particularly problematic, Jann pointed out that in combination with the upcoming IORING_OP_OPENAT feature, this bug might allow unprivileged users to bypass the capability checks while asynchronously opening files like /proc/*/mem, because the capability checks for this would be performed against kernel credentials. To illustrate on the former point about this being exploitable: When io_uring creates a new context it records the subjective credentials of the caller. Later on, when it starts to do work it creates a kernel thread and registers a callback. The callback runs with kernel creds for ktask->real_cred and ktask->cred. To prevent this from becoming a full-blown 0-day io_uring will call override_cred() and override ktask->cred with the subjective credentials of the creator of the io_uring instance. With ptrace_has_cap() currently looking at ktask->real_cred this override will be ineffective and the caller will be able to open arbitray proc files as mentioned above. Luckily, this is currently not exploitable but will turn into a 0-day once IORING_OP_OPENAT{2} land in v5.6. Fix it now! Cc: Oleg Nesterov Cc: Eric Paris Cc: stable@vger.kernel.org Reviewed-by: Kees Cook Reviewed-by: Serge Hallyn Reviewed-by: Jann Horn Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman --- kernel/ptrace.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -264,12 +264,17 @@ static int ptrace_check_attach(struct ta return ret; } -static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) +static bool ptrace_has_cap(const struct cred *cred, struct user_namespace *ns, + unsigned int mode) { + int ret; + if (mode & PTRACE_MODE_NOAUDIT) - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); + ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NOAUDIT); else - return has_ns_capability(current, ns, CAP_SYS_PTRACE); + ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NONE); + + return ret == 0; } /* Returns 0 on success, -errno on denial. */ @@ -321,7 +326,7 @@ static int __ptrace_may_access(struct ta gid_eq(caller_gid, tcred->sgid) && gid_eq(caller_gid, tcred->gid)) goto ok; - if (ptrace_has_cap(tcred->user_ns, mode)) + if (ptrace_has_cap(cred, tcred->user_ns, mode)) goto ok; rcu_read_unlock(); return -EPERM; @@ -340,7 +345,7 @@ ok: mm = task->mm; if (mm && ((get_dumpable(mm) != SUID_DUMP_USER) && - !ptrace_has_cap(mm->user_ns, mode))) + !ptrace_has_cap(cred, mm->user_ns, mode))) return -EPERM; return security_ptrace_access_check(task, mode);