Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1968169ybh; Tue, 14 Jul 2020 11:55:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwK7yJ5qWMP6p/WEUQnp2pAxF94+CCNW7KVW/+ryzVpgtth33g6qp14ztgQ2SGU+92do5n4 X-Received: by 2002:a17:906:c1d8:: with SMTP id bw24mr5749022ejb.91.1594752948109; Tue, 14 Jul 2020 11:55:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594752948; cv=none; d=google.com; s=arc-20160816; b=TvtMUAhm9/3T/P1VK4hxYPbAphiokUrPg0nLvqeWYNgMOUfDDjk94uqqZOfOdm07u6 pAjgU5Vf0yvPFS2qWkSu6Cgr3MRTdBmaKwc0OydgmxuUNDEe3u8F0xP8rFg5r7uu7spV bDsWYt/rlLvgcN/LnL6xZHVGg76DGd/11Ld4frK7KKG+4w6FMpG8xd6ZK3E+dVRldnuu y+LwgY1MH55dHrfXycZgrFXtD49eIhScLaP0oUFEC86gRdIVla9cGuGZo6e1CndctgyN NyRWovSpRzGz/si2unQGQ/WvhIuFFu1cEmkaHmw5T+Z+wFSdim0ywfFxMZ5ta6jyfn7l 7KtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0niuA4rF3/XnDltmxXgdroxvktfjMa3Y/BqD0sSy9tQ=; b=PSlVcs+2dPBtNvVavby1rLqmBEKLutmC7y21BF/CbNh0XrD4D8ApMSfyuzlCc0Rjxu HASYFwHtr6ffKrOJ7KzMmd5ooETCLCv/q/PDazJk7MgKhWVJD438eZOsXzdz1ll+15VW ArAhFzKNqeAeNEBvJ2ezJ8s3NeJAGa/0wPczmS+eT1ObYexzu8LHip5d3mDIad4714xD +kRlOcrZjB+0LqNojymVnJPiCYonH/qG8EEFz+CuXZqkr1B3uIYCknA8i5QEsWU4JIWW shwLaVRDnb5yKzd29zTtVZqiOC/Of6HYyFWTT6FMZTJ4LtJy6NJqZzVgEnyCACrNXnpR iLcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nBUJUNV5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p7si11979378ejy.206.2020.07.14.11.55.24; Tue, 14 Jul 2020 11:55:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nBUJUNV5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729699AbgGNSwK (ORCPT + 99 others); Tue, 14 Jul 2020 14:52:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:48746 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730476AbgGNSwH (ORCPT ); Tue, 14 Jul 2020 14:52:07 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D2CF122B48; Tue, 14 Jul 2020 18:52:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594752726; bh=pqw5UfEYGYT8ol4RNywBnTNu1KP+OoGQYk4BTsvHyYU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nBUJUNV5UMzefvehC/cW7s6dF+qatrRhF64/+MxaQWviF1UBMH5+qNbeGYuJwJrJB ZTsLD9YTC33TrKPQUZ0B61l2bY+yWDo5ldOTyEQfY2OWqJ9An4AAq4P8onP+0UAIfO zeMfviOkrZY/n9HFKypsbjnuzRCz7MajPM4f63YM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook Subject: [PATCH 5.4 087/109] kallsyms: Refactor kallsyms_show_value() to take cred Date: Tue, 14 Jul 2020 20:44:30 +0200 Message-Id: <20200714184109.715957926@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714184105.507384017@linuxfoundation.org> References: <20200714184105.507384017@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit 160251842cd35a75edfb0a1d76afa3eb674ff40a upstream. In order to perform future tests against the cred saved during open(), switch kallsyms_show_value() to operate on a cred, and have all current callers pass current_cred(). This makes it very obvious where callers are checking the wrong credential in their "read" contexts. These will be fixed in the coming patches. Additionally switch return value to bool, since it is always used as a direct permission check, not a 0-on-success, negative-on-error style function return. Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman --- include/linux/filter.h | 2 +- include/linux/kallsyms.h | 5 +++-- kernel/kallsyms.c | 17 +++++++++++------ kernel/kprobes.c | 4 ++-- kernel/module.c | 2 +- 5 files changed, 18 insertions(+), 12 deletions(-) --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -858,7 +858,7 @@ static inline bool bpf_dump_raw_ok(void) /* Reconstruction of call-sites is dependent on kallsyms, * thus make dump the same restriction. */ - return kallsyms_show_value() == 1; + return kallsyms_show_value(current_cred()); } struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, --- a/include/linux/kallsyms.h +++ b/include/linux/kallsyms.h @@ -18,6 +18,7 @@ #define KSYM_SYMBOL_LEN (sizeof("%s+%#lx/%#lx [%s]") + (KSYM_NAME_LEN - 1) + \ 2*(BITS_PER_LONG*3/10) + (MODULE_NAME_LEN - 1) + 1) +struct cred; struct module; static inline int is_kernel_inittext(unsigned long addr) @@ -98,7 +99,7 @@ int lookup_symbol_name(unsigned long add int lookup_symbol_attrs(unsigned long addr, unsigned long *size, unsigned long *offset, char *modname, char *name); /* How and when do we show kallsyms values? */ -extern int kallsyms_show_value(void); +extern bool kallsyms_show_value(const struct cred *cred); #else /* !CONFIG_KALLSYMS */ @@ -158,7 +159,7 @@ static inline int lookup_symbol_attrs(un return -ERANGE; } -static inline int kallsyms_show_value(void) +static inline bool kallsyms_show_value(const struct cred *cred) { return false; } --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -645,19 +645,20 @@ static inline int kallsyms_for_perf(void * Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to * block even that). */ -int kallsyms_show_value(void) +bool kallsyms_show_value(const struct cred *cred) { switch (kptr_restrict) { case 0: if (kallsyms_for_perf()) - return 1; + return true; /* fallthrough */ case 1: - if (has_capability_noaudit(current, CAP_SYSLOG)) - return 1; + if (security_capable(cred, &init_user_ns, CAP_SYSLOG, + CAP_OPT_NOAUDIT) == 0) + return true; /* fallthrough */ default: - return 0; + return false; } } @@ -674,7 +675,11 @@ static int kallsyms_open(struct inode *i return -ENOMEM; reset_iter(iter, 0); - iter->show_value = kallsyms_show_value(); + /* + * Instead of checking this on every s_show() call, cache + * the result here at open time. + */ + iter->show_value = kallsyms_show_value(file->f_cred); return 0; } --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2362,7 +2362,7 @@ static void report_probe(struct seq_file else kprobe_type = "k"; - if (!kallsyms_show_value()) + if (!kallsyms_show_value(current_cred())) addr = NULL; if (sym) @@ -2463,7 +2463,7 @@ static int kprobe_blacklist_seq_show(str * If /proc/kallsyms is not showing kernel address, we won't * show them here either. */ - if (!kallsyms_show_value()) + if (!kallsyms_show_value(current_cred())) seq_printf(m, "0x%px-0x%px\t%ps\n", NULL, NULL, (void *)ent->start_addr); else --- a/kernel/module.c +++ b/kernel/module.c @@ -4391,7 +4391,7 @@ static int modules_open(struct inode *in if (!err) { struct seq_file *m = file->private_data; - m->private = kallsyms_show_value() ? NULL : (void *)8ul; + m->private = kallsyms_show_value(current_cred()) ? NULL : (void *)8ul; } return err;