lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu,  6 Oct 2022 01:27:33 -0700
From:   Kees Cook <>
To:     Eric Biederman <>
Cc:     Kees Cook <>,
        Jorge Merlino <>,
        Al Viro <>,
        "Christian Brauner (Microsoft)" <>,
        Thomas Gleixner <>,
        Andy Lutomirski <>,
        Sebastian Andrzej Siewior <>,
        Andrew Morton <>,
        John Johansen <>,
        Paul Moore <>,
        James Morris <>,
        "Serge E. Hallyn" <>,
        Stephen Smalley <>,
        Eric Paris <>,
        Richard Haines <>,
        Casey Schaufler <>,
        Xin Long <>,
        "David S. Miller" <>,
        Todd Kjos <>,
        Ondrej Mosnacek <>,
        Prashanth Prahlad <>,
        Micah Morton <>,
        Fenghua Yu <>,
        Andrei Vagin <>,,,,,,,
Subject: [PATCH 0/2] fs/exec: Explicitly unshare fs_struct on exec


These changes seek to address an issue reported[1] by Jorge Merlino where
high-thread-count processes would sometimes fail to setuid during a
setuid execve().

It looks to me like the solution is to explicitly do an unshare_fs(),
which should almost always be a no-op. Current testing seems to indicate
that only the swapper->init exec triggers this condition (and I'm unclear
on whether that's expected or undesirable). This has only received very
light testing so far, but I wanted to share it so other folks could look
it over.

Jorge, can you test with these patches? Your PoC triggered immediately
for me on an unpatched kernel, and did not trigger on a patched one.

I added this patch on top of the series to see if the code ever fired:

diff --git a/kernel/fork.c b/kernel/fork.c
index 53b7248f7a4b..3c197d9d8daa 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3113,6 +3113,7 @@ int unshare_fs(void)
 	if (error || !new_fs)
 		return error;
+	pr_notice("UNSHARE of \"%s\" [%d]\n", current->comm, current->pid);
 	if (new_fs)




Kees Cook (2):
  fs/exec: Explicitly unshare fs_struct on exec
  exec: Remove LSM_UNSAFE_SHARE

 fs/exec.c                  | 26 ++++------------
 fs/fs_struct.c             |  1 -
 include/linux/fdtable.h    |  1 +
 include/linux/fs_struct.h  |  1 -
 include/linux/security.h   |  5 ++-
 kernel/fork.c              | 62 ++++++++++++++++++++++++++------------
 security/apparmor/domain.c |  5 ---
 security/selinux/hooks.c   | 10 ------
 8 files changed, 51 insertions(+), 60 deletions(-)


Powered by blists - more mailing lists