| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87h95v3j0i.fsf@xmission.com>
Date: Fri, 23 Dec 2016 07:39:57 +1300
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Aleksa Sarai <asarai@...e.de>
Cc: oleg@...hat.com, viro@...iv.linux.org.uk,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
cyphar@...har.com, dev@...ncontainers.org
Subject: Re: [PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags
Aleksa Sarai <asarai@...e.de> writes:
> If you have a process that has set itself to be non-dumpable, and it
> then undergoes exec(2), any CLOEXEC file descriptors it has open are
> "exposed" during a race window between the dumpable flags of the process
> being reset for exec(2) and CLOEXEC being applied to the file
> descriptors. This can be exploited by a process by attempting to access
> /proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE.
>
> The race in question is after set_dumpable has been (for get_link,
> though the trace is basically the same for readlink):
>
> [vfs]
> -> proc_pid_link_inode_operations.get_link
> -> proc_pid_get_link
> -> proc_fd_access_allowed
> -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
>
> Which will return 0, during the race window and CLOEXEC file descriptors
> will still be open during this window because do_close_on_exec has not
> been called yet. As a result, the ordering of these calls should be
> reversed to avoid this race window.
>
> This is of particular concern to container runtimes, where joining a
> PID namespace with file descriptors referring to the host filesystem
> can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
> against access of CLOEXEC file descriptors -- file descriptors which may
> reference filesystem objects the container shouldn't have access to).
That seems reasonable. I was thinking cred_guard_mutex should handle
this case, but it obviously won't because only ptrace_attach takes that.
Sigh with enough cleanups the code might even become comprehensible and
correct in there.
I have dropped this onto my for-testing branch for now (so I don't
forget it) and after the chaos of the merge window ends I will forward
this along.
Eric
> Cc: dev@...ncontainers.org
> Cc: <stable@...r.kernel.org> # v3.2+
> Reported-by: Michael Crosby <crosbymichael@...il.com>
> Signed-off-by: Aleksa Sarai <asarai@...e.de>
> ---
> fs/exec.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 4e497b9ee71e..b0a98ef03253 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -19,7 +19,7 @@
> * current->executable is only used by the procfs. This allows a dispatch
> * table to check for several different types of binary formats. We keep
> * trying until we recognize the file or we run out of supported binary
> - * formats.
> + * formats.
> */
>
> #include <linux/slab.h>
> @@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm)
> flush_thread();
> current->personality &= ~bprm->per_clear;
>
> + /*
> + * We have to apply CLOEXEC before we change whether the process is
> + * dumpable (in setup_new_exec) to avoid a race with a process in userspace
> + * trying to access the should-be-closed file descriptors of a process
> + * undergoing exec(2).
> + */
> + do_close_on_exec(current->files);
> return 0;
>
> out:
> @@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm)
> group */
> current->self_exec_id++;
> flush_signal_handlers(current, 0);
> - do_close_on_exec(current->files);
> }
> EXPORT_SYMBOL(setup_new_exec);
Powered by blists - more mailing lists