On 10/26/22 16:31, Kees Cook wrote:
> A common exploit pattern for ROP attacks is to abuse prepare_kernel_cred()
> in order to construct escalated privileges[1]. Instead of providing a
> short-hand argument (NULL) to the "daemon" argument to indicate using
> init_cred as the base cred, require that "daemon" is always set to
> an actual task. Replace all existing callers that were passing NULL
> with &init_task.
>
> Future attacks will need to have sufficiently powerful read/write
> primitives to have found an appropriately privileged task and written it
> to the ROP stack as an argument to succeed, which is similarly difficult
> to the prior effort needed to escalate privileges before struct cred
> existed: locate the current cred and overwrite the uid member.
>
> This has the added benefit of meaning that prepare_kernel_cred() can no
> longer exceed the privileges of the init task, which may have changed from
> the original init_cred (e.g. dropping capabilities from the bounding set).
>
> [1] https://google.com/search?q=commit_creds(prepare_kernel_cred(0))
>
> Cc: "Eric W. Biederman" <[email protected]>
> Cc: David Howells <[email protected]>
> Cc: Luis Chamberlain <[email protected]>
> Cc: Russ Weight <[email protected]>
> Cc: Greg Kroah-Hartman <[email protected]>
> Cc: "Rafael J. Wysocki" <[email protected]>
> Cc: Steve French <[email protected]>
> Cc: Paulo Alcantara <[email protected]>
> Cc: Ronnie Sahlberg <[email protected]>
> Cc: Shyam Prasad N <[email protected]>
> Cc: Tom Talpey <[email protected]>
> Cc: Namjae Jeon <[email protected]>
> Cc: Sergey Senozhatsky <[email protected]>
> Cc: Trond Myklebust <[email protected]>
> Cc: Anna Schumaker <[email protected]>
> Cc: Chuck Lever <[email protected]>
> Cc: Jeff Layton <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Eric Dumazet <[email protected]>
> Cc: Jakub Kicinski <[email protected]>
> Cc: Paolo Abeni <[email protected]>
> Cc: "Michal Koutný" <[email protected]>
> Cc: Peter Zijlstra <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
> ---
> drivers/base/firmware_loader/main.c | 2 +-
> fs/cifs/cifs_spnego.c | 2 +-
> fs/cifs/cifsacl.c | 2 +-
> fs/ksmbd/smb_common.c | 2 +-
> fs/nfs/flexfilelayout/flexfilelayout.c | 4 ++--
> fs/nfs/nfs4idmap.c | 2 +-
> fs/nfsd/nfs4callback.c | 2 +-
> kernel/cred.c | 15 +++++++--------
> net/dns_resolver/dns_key.c | 2 +-
> 9 files changed, 16 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index 7c3590fd97c2..017c4cdb219e 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -821,7 +821,7 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> * called by a driver when serving an unrelated request from userland, we use
> * the kernel credentials to read the file.
> */
> - kern_cred = prepare_kernel_cred(NULL);
> + kern_cred = prepare_kernel_cred(&init_task);
> if (!kern_cred) {
> ret = -ENOMEM;
> goto out;
> diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
> index 342717bf1dc2..6f3285f1dfee 100644
> --- a/fs/cifs/cifs_spnego.c
> +++ b/fs/cifs/cifs_spnego.c
> @@ -189,7 +189,7 @@ init_cifs_spnego(void)
> * spnego upcalls.
> */
>
> - cred = prepare_kernel_cred(NULL);
> + cred = prepare_kernel_cred(&init_task);
> if (!cred)
> return -ENOMEM;
>
> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> index fa480d62f313..574de2b225ae 100644
> --- a/fs/cifs/cifsacl.c
> +++ b/fs/cifs/cifsacl.c
> @@ -465,7 +465,7 @@ init_cifs_idmap(void)
> * this is used to prevent malicious redirections from being installed
> * with add_key().
> */
> - cred = prepare_kernel_cred(NULL);
> + cred = prepare_kernel_cred(&init_task);
> if (!cred)
> return -ENOMEM;
>
> diff --git a/fs/ksmbd/smb_common.c b/fs/ksmbd/smb_common.c
> index d96da872d70a..2a4fbbd55b91 100644
> --- a/fs/ksmbd/smb_common.c
> +++ b/fs/ksmbd/smb_common.c
> @@ -623,7 +623,7 @@ int ksmbd_override_fsids(struct ksmbd_work *work)
> if (share->force_gid != KSMBD_SHARE_INVALID_GID)
> gid = share->force_gid;
>
> - cred = prepare_kernel_cred(NULL);
> + cred = prepare_kernel_cred(&init_task);
> if (!cred)
> return -ENOMEM;
>
> diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
> index 1ec79ccf89ad..7deb3cd76abe 100644
> --- a/fs/nfs/flexfilelayout/flexfilelayout.c
> +++ b/fs/nfs/flexfilelayout/flexfilelayout.c
> @@ -493,10 +493,10 @@ ff_layout_alloc_lseg(struct pnfs_layout_hdr *lh,
> gid = make_kgid(&init_user_ns, id);
>
> if (gfp_flags & __GFP_FS)
> - kcred = prepare_kernel_cred(NULL);
> + kcred = prepare_kernel_cred(&init_task);
> else {
> unsigned int nofs_flags = memalloc_nofs_save();
> - kcred = prepare_kernel_cred(NULL);
> + kcred = prepare_kernel_cred(&init_task);
> memalloc_nofs_restore(nofs_flags);
> }
> rc = -ENOMEM;
> diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
> index e3fdd2f45b01..25a7c771cfd8 100644
> --- a/fs/nfs/nfs4idmap.c
> +++ b/fs/nfs/nfs4idmap.c
> @@ -203,7 +203,7 @@ int nfs_idmap_init(void)
> printk(KERN_NOTICE "NFS: Registering the %s key type\n",
> key_type_id_resolver.name);
>
> - cred = prepare_kernel_cred(NULL);
> + cred = prepare_kernel_cred(&init_task);
> if (!cred)
> return -ENOMEM;
>
> diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
> index f0e69edf5f0f..4a9e8d17e56a 100644
> --- a/fs/nfsd/nfs4callback.c
> +++ b/fs/nfsd/nfs4callback.c
> @@ -870,7 +870,7 @@ static const struct cred *get_backchannel_cred(struct nfs4_client *clp, struct r
> } else {
> struct cred *kcred;
>
> - kcred = prepare_kernel_cred(NULL);
> + kcred = prepare_kernel_cred(&init_task);
> if (!kcred)
> return NULL;
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e10c15f51c1f..811ad654abd1 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -701,9 +701,9 @@ void __init cred_init(void)
> * override a task's own credentials so that work can be done on behalf of that
> * task that requires a different subjective context.
> *
> - * @daemon is used to provide a base for the security record, but can be NULL.
> - * If @daemon is supplied, then the security data will be derived from that;
> - * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
> + * @daemon is used to provide a base cred, with the security data derived from
> + * that; if this is "&init_task", they'll be set to 0, no groups, full
> + * capabilities, and no keys.
> *
> * The caller may change these controls afterwards if desired.
> *
> @@ -714,17 +714,16 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
> const struct cred *old;
> struct cred *new;
>
> + if (WARN_ON_ONCE(!daemon))
> + return NULL;
> +
> new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
> if (!new)
> return NULL;
>
> kdebug("prepare_kernel_cred() alloc %p", new);
>
> - if (daemon)
> - old = get_task_cred(daemon);
> - else
> - old = get_cred(&init_cred);
> -
> + old = get_task_cred(daemon);
> validate_creds(old);
>
> *new = *old;
> diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
> index 3aced951d5ab..01e54b46ae0b 100644
> --- a/net/dns_resolver/dns_key.c
> +++ b/net/dns_resolver/dns_key.c
> @@ -337,7 +337,7 @@ static int __init init_dns_resolver(void)
> * this is used to prevent malicious redirections from being installed
> * with add_key().
> */
> - cred = prepare_kernel_cred(NULL);
> + cred = prepare_kernel_cred(&init_task);
> if (!cred)
> return -ENOMEM;
>
Acked-by: Russ Weight <[email protected]>
- Russ