Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2719154pxj; Mon, 31 May 2021 09:02:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCExYdml53h73Kj5kzg0wGuMzgmzcXVWNqt3EeuA+0Skr2sgM4K4mazIMpiRIIKfe1SHps X-Received: by 2002:a92:6e01:: with SMTP id j1mr17879944ilc.160.1622476971363; Mon, 31 May 2021 09:02:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622476971; cv=none; d=google.com; s=arc-20160816; b=dXjRfELXT+8AP/L13rFCC+hsrJjmXPZxTC963Rh3if2M+cIdxUdfnjT9p16dyZPGA+ ssLO9aTWWs1EXAQCSD5dgZAigVHfrLWZ14nKmLgESNglCx2XVgQwhr/hvGBu+rn5E8Gl rOU6M8VZouCvtghKvKKVstooIgWB9y7gbJRlWD7GeAGSeFORdKPBz6Kx8CkVn9Tj48uI Xd5jytdzWeLpz6IPdvwEuI9MFcnV6Si5dNTJ3sRGQh2FKHpPHFP4afD58moPnk8xIFeR LaYONRQ5AmEIa99U8MO/NSk8iZMNDH81tcL//1T7ttwnN7kr4YyBXeOuKqkpNKSi1X53 HWKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dMKZlWyyTtJJ3WhJh8JPoMX2uzowsOnI+0pxB9Q65FA=; b=ek4+ubju5EoEGgX7RxYdyXyeMGYF52lGTUtD3owXNdyDNaIObPp8JukLm891wz7TRO ZMoE3HHZXcus3NnYCq8SdpuZsz8YRytH8AnJ4710MNuwDtQuI+8rcKCnKEm5sp0+0usK osE5Q32JcZ4Xo76Ea/EhTP3IszYMzPpe2TrkxVwqUjbNheo7j2QoriE2ghcTL3+gQqmC zhspKJgxEfSFdvNoTCEva0YnYTNAaCAyAIRYTYztrp8t6uu/AkCBdixgZ2mKBXhwcbdC oQbbA+16wTvINrouwhHZZGxYCsxz01NnxWf5CO4DQ0zdhIfkxX97r/MAxKXec0NKfP7k mneQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=W9mjE+KS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j10si12673730ilk.31.2021.05.31.09.02.37; Mon, 31 May 2021 09:02:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=W9mjE+KS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232900AbhEaQCZ (ORCPT + 99 others); Mon, 31 May 2021 12:02:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:33112 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232743AbhEaOd2 (ORCPT ); Mon, 31 May 2021 10:33:28 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0C91760724; Mon, 31 May 2021 13:49:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622468995; bh=xVJhIR6yeYnq39OwuPLzjwMfvlcOB85wgS/nnUJeizI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=W9mjE+KSb06B/ggrWX1Qwv91jhmvNEMf5+wFSv4tPKKGQYzWdEtPFAWRM7jTLcoIy Bd7jNzwxjfskigosP5pbCO67hwPt8Qr4zP/FdYjsbXijbK7+fXiK9WTUdhw8xLoKBr bVmig4jon/+SlegUolgn3oEn7gGGQZ41l8CrQQho= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , Linus Torvalds Subject: [PATCH 5.12 030/296] proc: Check /proc/$pid/attr/ writes against file opener Date: Mon, 31 May 2021 15:11:25 +0200 Message-Id: <20210531130704.809305391@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130703.762129381@linuxfoundation.org> References: <20210531130703.762129381@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream. Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ files need to check the opener credentials, since these fds do not transition state across execve(). Without this, it is possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. [1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/proc/base.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2703,6 +2703,10 @@ static ssize_t proc_pid_attr_write(struc void *page; int rv; + /* A task may only write when it was the opener. */ + if (file->f_cred != current_real_cred()) + return -EPERM; + rcu_read_lock(); task = pid_task(proc_pid(inode), PIDTYPE_PID); if (!task) {