Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4745959pxj; Tue, 25 May 2021 15:38:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZ4GapLgiKTQtubvvCYDwsHKIsD0ixpzBQqnWqSpQW9RLo74RZ+mYLB1J1+0c+39I5nofe X-Received: by 2002:a05:6638:1482:: with SMTP id j2mr33492125jak.63.1621982335395; Tue, 25 May 2021 15:38:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621982335; cv=none; d=google.com; s=arc-20160816; b=xT6ri7syMB2n68VzV+RhpbO/r9fkSVuOGStEhvqM2iAAFe074/2gEh8GCWQ5NdEETc NN+Te8ofoUYTk83b5aiFkpX2oYnnH3X5RZKqWfFEBkUxgNci1kt79NE5ff/gnb2s4wck 10Ond0dcDiiSf7hLz28nx9jmgrC0+dskNbD5ZtI1WTr/EZmFAUFCSHx4LHWLVeDtWE2k +j9Zzq1luRSDD5TqKDWTzhp7WYKdZBh/AUOex5wto76KsL6opQnTqEjP9jXuXPZkd/LJ PS6kKsFfMCiaIHPJuc3iYL2J3MwrX+ae5cPDocE1af2PDXp4XPNnHUY+FKVj0Ebrw6u0 mPyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:mime-version:user-agent:message-id :in-reply-to:date:references:cc:to:from; bh=1C4GXcGVxHeCwb2t7kJEyjTDjETNhVC4MY1VrRM0CuU=; b=HG5dS52OwvWvruzluxysJNu0e8RP8GnaoDu+ip4C/ocz7j8CpaZEJRbMtcTdJUFACK k+/lWREWiCHuUk9XfbRcxNZQo6btW17p43qGtBsbcIfPCQOchE5PcXvEKj9beR8s4Yq+ gRmNjM8IczvXVDjM376lKexT0N12SNus/wI9Njm0INhAHeZ4gn7isFvedgr3HqhyyFjy 0vb0zI71cE/SS1nCBzO7OKz5af5TgIW7uqi+071g0IJiDNid9CmT32KUgWLtCqvFJ6r8 0f9O5I8oBEEM7XUfrxPBggMO1T7mBgo7WaOAgZus3RVWZRCk7+UzVAQjU7vhAmUqFWpr P+0Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p8si17425826ils.114.2021.05.25.15.38.41; Tue, 25 May 2021 15:38:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232993AbhEYV0p (ORCPT + 99 others); Tue, 25 May 2021 17:26:45 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:33102 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232508AbhEYV0n (ORCPT ); Tue, 25 May 2021 17:26:43 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lleY0-00HLfp-3h; Tue, 25 May 2021 15:25:08 -0600 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=fess.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1lleXz-0003h6-73; Tue, 25 May 2021 15:25:07 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Jann Horn Cc: Kees Cook , Linus Torvalds , stable , Paul Moore , Casey Schaufler , Oleg Nesterov , James Morris , John Johansen , Stephen Smalley , Greg Kroah-Hartman , kernel list , linux-security-module References: <20210525193735.2716374-1-keescook@chromium.org> Date: Tue, 25 May 2021 16:24:52 -0500 In-Reply-To: (Jann Horn's message of "Tue, 25 May 2021 22:49:29 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1lleXz-0003h6-73;;;mid=;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18b6GauH7woP0dutn2xuSoDIfadYjyx/GI= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa08.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,XMSubLong autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa08 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa08 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Jann Horn X-Spam-Relay-Country: X-Spam-Timing: total 444 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 15 (3.4%), b_tie_ro: 13 (2.9%), parse: 0.99 (0.2%), extract_message_metadata: 14 (3.0%), get_uri_detail_list: 1.98 (0.4%), tests_pri_-1000: 5 (1.1%), tests_pri_-950: 1.36 (0.3%), tests_pri_-900: 1.16 (0.3%), tests_pri_-90: 56 (12.5%), check_bayes: 53 (12.0%), b_tokenize: 7 (1.6%), b_tok_get_all: 9 (2.0%), b_comp_prob: 3.2 (0.7%), b_tok_touch_all: 29 (6.6%), b_finish: 1.48 (0.3%), tests_pri_0: 338 (76.1%), check_dkim_signature: 0.49 (0.1%), check_dkim_adsp: 3.3 (0.7%), poll_dns_idle: 0.18 (0.0%), tests_pri_10: 2.1 (0.5%), tests_pri_500: 8 (1.7%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] proc: Check /proc/$pid/attr/ writes against file opener X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn writes: > On Tue, May 25, 2021 at 9:37 PM Kees Cook wrote: >> Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ >> files need to check the opener credentials, since these fds do not >> transition state across execve(). Without this, it is possible to >> trick another process (which may have different credentials) to write >> to its own /proc/$pid/attr/ files, leading to unexpected and possibly >> exploitable behaviors. >> >> [1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials >> >> Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") >> Cc: stable@vger.kernel.org >> Signed-off-by: Kees Cook >> --- >> fs/proc/base.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/fs/proc/base.c b/fs/proc/base.c >> index 3851bfcdba56..58bbf334265b 100644 >> --- a/fs/proc/base.c >> +++ b/fs/proc/base.c >> @@ -2703,6 +2703,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, >> void *page; >> int rv; >> >> + /* A task may only write when it was the opener. */ >> + if (file->f_cred != current_real_cred()) >> + return -EPERM; > > With this, if a task forks, the child will then still be able to open > its parent's /proc/$pid/attr/current and trick the parent into writing > to that, right? Is that acceptable? If not, the ->open handler should > probably also check for "current->thread_pid == proc_pid(inode)", or > something like that? Currently exec always allocates a new cred. So you can only ``trick'' another process that was forked from you. I don't think it counts as tricking or any kind of danger if you are simply confusing yourself. Eric