Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4743401pxj; Tue, 25 May 2021 15:34:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFXEVq1bnMCETN5qFXNWW5LXYxWNE3AoVDpCWRpA0FZjWYhGdUuw6aBHfnWUOyNOOCldZL X-Received: by 2002:a17:906:82d5:: with SMTP id a21mr31187350ejy.5.1621982054195; Tue, 25 May 2021 15:34:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621982054; cv=none; d=google.com; s=arc-20160816; b=N8t05cnXesdM7R6ro6BXosIZet1ZF/Iex6i1EuRs+qkxtALK5VS+KwWEwfV+BvjaBA nmaAPF9ORMj5wmWl4AE+eo3GYYHBfrsQLpkJiwnVIuWS6zO959Ac0pM8sU8zQqRjzDFY DowNcnLWkrLL9ylw4ErcW+vfCASO1YQxCDa44f5t8naVUPsl/0fHACgXua9V4G0Ai8Hv UmmFzlYRoQSrzWZ3HrGcC9sO68krXdFIVk3oP1kzw7W/wE/Sb2pTcVHMnPncWCnqChw2 CHXIvWDljkDs4x5+PHvl0VS1gPdMfTxfgoV6maFclaNBGYH0OPNcE/UPp4Jxm7F+tCk3 e0kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=my1VRpGvUlfJOXYYzf5go17vJHSLCcuUwMNzSJZH5Ho=; b=F6w5sKN5ofgTaCECePyHcqfA/fiTt9nIwTmrbD+uLnXnvWpRXstvTgrDlLFa4GhC6J pl+vS99jvd9pgSa+z+dQeQtG1yBY6j+opLgy/r2jRJxIfGwv2dbbKdlcSdGO7jn/DGlo Epb7kP0scEBtCAbGJ5i70coC5tI3nBQ6XltpeWTEQgRhXNMz1Zgqct/z66cIyROMLhBZ HGI7774EPWYJo3FKUT1WCBC06twlpft16JBpP8XtgJzjGys8VrODfrstmTu4ZzN3edGP rfDF70S7iHnWBTBmFFW31OvP/gKq2gBdzwpPAH0hK0sr2ws9gWME1YabewB2OQCo3UqX 28uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ua8fCYca; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z14si4458797ejw.626.2021.05.25.15.33.50; Tue, 25 May 2021 15:34:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ua8fCYca; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231670AbhEYUv3 (ORCPT + 99 others); Tue, 25 May 2021 16:51:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48926 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230510AbhEYUv1 (ORCPT ); Tue, 25 May 2021 16:51:27 -0400 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 251EEC061574 for ; Tue, 25 May 2021 13:49:57 -0700 (PDT) Received: by mail-lj1-x22c.google.com with SMTP id s25so39937094ljo.11 for ; Tue, 25 May 2021 13:49:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=my1VRpGvUlfJOXYYzf5go17vJHSLCcuUwMNzSJZH5Ho=; b=ua8fCYcaJJV6MtDCSg1a6tMUYR+FLxUCJ8CI+LDWBkCJ4cy1Wlpe+VCemp05KLBfSO D9cYtH86QUDMbl/Fzop62cTA5zjzp+ljS/DdNiip70zWHVOWa1SjVYLnN3E+mf6LHYDk NBzxy+HOhHapf14QAL8jiDZC3fi3YG1hwbvAFwsDpsxVgJ4XLi82xUXO+wMuBxceCL7H 6OjULEKwSnq+t0dj5lecl3Zy7J7N1jsxwerd1pfDqdxecC/4BsYyTHIC5/DbdlGb63Y6 EZDE4FHR60y6tkNVDKpDjHk3PKbT27tUHbBOXOnHE6m/1udgz6UFcLlbe8aQXnGTODWI 8q8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=my1VRpGvUlfJOXYYzf5go17vJHSLCcuUwMNzSJZH5Ho=; b=D/e54lOaSBaslNk2yH6m/FVPSPqMnIzyCcMmbWXe+KGsSHQtjLiSlCDw3XCQScPMmT ivZdOjwH3y/CN3dUjsK2Hpo5UuouzgbZoCpusO4bV1Tgi03JkA4dJlJKLY2VoS9xGY6+ yGBcdDFlzfNm4Hy+DsYHs9RxM5XCamhtePv3qUXBpFMPjxCioeQH51eM4VwTgtaiGURO ANEk7HQ7do7Fj8mkz4ySRGlhyy0iD0csBQiNEho2pCHRWadEx4BSWmyqbN8ktFdqh0fv 6iIWEaUcLZ9tOFaDJ+kfiVcOik6WL/5baNqettHzAywx3CadCmMhKog/oAwAxMJkYRco 1N9A== X-Gm-Message-State: AOAM533HAajbxjRMV3SVLmUDJ/ydjqFk8DSGH0inv1D3sE4ffYrEq417 yfdoatul3Ijde1YDCEpa0Y0i5ja9TOtMbPJxxxPDYg== X-Received: by 2002:a2e:9f16:: with SMTP id u22mr22005702ljk.43.1621975795312; Tue, 25 May 2021 13:49:55 -0700 (PDT) MIME-Version: 1.0 References: <20210525193735.2716374-1-keescook@chromium.org> In-Reply-To: <20210525193735.2716374-1-keescook@chromium.org> From: Jann Horn Date: Tue, 25 May 2021 22:49:29 +0200 Message-ID: Subject: Re: [PATCH] proc: Check /proc/$pid/attr/ writes against file opener To: Kees Cook Cc: Linus Torvalds , stable , "Eric W. Biederman" , Paul Moore , Casey Schaufler , Oleg Nesterov , James Morris , John Johansen , Stephen Smalley , Greg Kroah-Hartman , kernel list , linux-security-module Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 25, 2021 at 9:37 PM Kees Cook wrote: > Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ > files need to check the opener credentials, since these fds do not > transition state across execve(). Without this, it is possible to > trick another process (which may have different credentials) to write > to its own /proc/$pid/attr/ files, leading to unexpected and possibly > exploitable behaviors. > > [1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials > > Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") > Cc: stable@vger.kernel.org > Signed-off-by: Kees Cook > --- > fs/proc/base.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 3851bfcdba56..58bbf334265b 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2703,6 +2703,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, > void *page; > int rv; > > + /* A task may only write when it was the opener. */ > + if (file->f_cred != current_real_cred()) > + return -EPERM; With this, if a task forks, the child will then still be able to open its parent's /proc/$pid/attr/current and trick the parent into writing to that, right? Is that acceptable? If not, the ->open handler should probably also check for "current->thread_pid == proc_pid(inode)", or something like that?