lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240124220619.work.227-kees@kernel.org>
Date: Wed, 24 Jan 2024 14:06:23 -0800
From: Kees Cook <keescook@...omium.org>
To: Kevin Locke <kevin@...inlocke.name>
Cc: Kees Cook <keescook@...omium.org>,
	Jann Horn <jannh@...gle.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Eric Biederman <ebiederm@...ssion.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Christian Brauner <brauner@...nel.org>,
	Jan Kara <jack@...e.cz>,
	linux-mm@...ck.org,
	linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-hardening@...r.kernel.org
Subject: [PATCH] exec: Remove __FMODE_EXEC from uselib()

Path-based LSMs will bypass uselib() "open" checks since commit
4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"),
so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual
"mmap" hooks will be restored. (uselib() never set current->in_execve.)

Other things that checked __FMODE_EXEC:

- fs/fcntl.c is just doing a bitfield sanity check.

- nfs_open_permission_mask() is only checking for the
  "unreadable exec" case, which is not an issue for uselib(),
  which sets MAY_READ, unlike execve().

- fsnotify would no longer see uselib() as FS_OPEN_EXEC_PERM, but
  rather as FS_OPEN_PERM, but this is likely a bug fix, as uselib() isn't
  an exec: it's more like mmap(), which fsnotify doesn't intercept.

Reported-by: Jann Horn <jannh@...gle.com>
Closes: https://lore.kernel.org/lkml/CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com/
Fixes: 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs")
Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Kevin Locke <kevin@...inlocke.name>
Cc: Eric Biederman <ebiederm@...ssion.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>
Cc: Christian Brauner <brauner@...nel.org>
Cc: Jan Kara <jack@...e.cz>
Cc: linux-mm@...ck.org
Cc: linux-fsdevel@...r.kernel.org
Signed-off-by: Kees Cook <keescook@...omium.org>
---
 fs/exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/exec.c b/fs/exec.c
index d179abb78a1c..af4fbb61cd53 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -128,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
 	struct filename *tmp = getname(library);
 	int error = PTR_ERR(tmp);
 	static const struct open_flags uselib_flags = {
-		.open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
+		.open_flag = O_LARGEFILE | O_RDONLY,
 		.acc_mode = MAY_READ | MAY_EXEC,
 		.intent = LOOKUP_OPEN,
 		.lookup_flags = LOOKUP_FOLLOW,
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ