Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2690907pxj; Mon, 31 May 2021 08:20:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhdoGGVo0fI3ffJlKjPzr8XqiSP8qT2P/ynzeqGyxhP5HXdONVb2urnIypDgRh7QtWqz7U X-Received: by 2002:a05:6e02:190f:: with SMTP id w15mr18237662ilu.13.1622474448182; Mon, 31 May 2021 08:20:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622474448; cv=none; d=google.com; s=arc-20160816; b=QLJOIxy5yNgr0AtwpzLe7kYdLYxyZcCyCtOPYxpXs/2avXSGdHydgaNzBxqN/ugcUK xWKcCmhtqLxCGwZt+QMvdCZwl/T/nNkcTsa3mEKyyuwManJ+LPkUJhJJgtg0fK+ftWAU GBVO/GTF2wTpHBwypk2LIMRrveftQoXst2xd5rfmZRYaQpzt3I5NDbHdK/FhzIAzFMiT ug9cNsRRdmC5t1eM9VgsVZc6nahMgHp/rvItzTiyV+NhvLsacwRBQpzMu3RQjlodjnOL 3Z9C+5ieee6QrjW0RWWtak2OjzhH1sJ1uyl4t6Q+52akIpvzYjweWTy0z5aCKJUDmd4R x6Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QROQylbGo/mR65sODRAzZfb86mQEWK0mnl9MMAyy8cU=; b=MQOaSLrmroe09ycncOwT0E4YRpxF/Kdp9BMt+c/+lYHngiyF6nQ1Xs4XGzS7reINc+ r3L30S00s3r7Z2kChnrsgoNNZQnffBpOMEk5pnA5S8Z+CrpeNr7EFbmuc7nzOwrvvCsO z7+y6Lln4JexFWhJJiC+9FmLiGy/M5OVc9ubn+IcAzvUVAjXa9eQLLERczV0Wpy55FjN ZSCVfFLvBLpdNC2C+bqFSCTQqD+USum0goVDAUroW0lBagsEeI2EK74KD7FKR1Fdcor5 HItei5tC16BmmdAMulhyL1Ki8jFYU9Fh/BKEycJQ7jv6GdAcZN0zB6Hdqo4+WWg22w/Y fV3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c9bURBRM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v7si14268884jal.113.2021.05.31.08.20.33; Mon, 31 May 2021 08:20:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c9bURBRM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232965AbhEaPVf (ORCPT + 99 others); Mon, 31 May 2021 11:21:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:43710 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230433AbhEaOP7 (ORCPT ); Mon, 31 May 2021 10:15:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D027A619A2; Mon, 31 May 2021 13:43:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622468586; bh=6pqFTVPpVj8bvULiYDiQAXEUHKhXAtPYrir6vu59wrI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c9bURBRM9jOOG5Q3xJNfZ3giLFNBsggVUCGb/Xnh50gnDGNnbNR/LbEQZfKdiN43l Ub7m1MUGQVIRlyoeYQZwT7Rxukx9vma22cJQdID4irVa7AOmT65cpGEAihW47Kt1gG kgFiooXSJnx+Z4eJKHMZV5qDmvaNpkpiQFFLX3CY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Linus Torvalds Subject: [PATCH 5.4 012/177] proc: Check /proc/$pid/attr/ writes against file opener Date: Mon, 31 May 2021 15:12:49 +0200 Message-Id: <20210531130648.330655012@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130647.887605866@linuxfoundation.org> References: <20210531130647.887605866@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream. Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ files need to check the opener credentials, since these fds do not transition state across execve(). Without this, it is possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. [1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/proc/base.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2556,6 +2556,10 @@ static ssize_t proc_pid_attr_write(struc void *page; int rv; + /* A task may only write when it was the opener. */ + if (file->f_cred != current_real_cred()) + return -EPERM; + rcu_read_lock(); task = pid_task(proc_pid(inode), PIDTYPE_PID); if (!task) {