lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201901220050.x0M0ommA008918@www262.sakura.ne.jp>
Date:   Tue, 22 Jan 2019 09:50:48 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To:     Al Viro <viro@...iv.linux.org.uk>
Cc:     Eric Biggers <ebiggers3@...il.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kees Cook <keescook@...omium.org>,
        syzbot 
        <bot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@...kaller.appspotmail.com>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: [PATCH v2] fs: Allow opening only regular files during execve().

Al Viro wrote:
> On Mon, Jan 21, 2019 at 07:14:39PM +0900, Tetsuo Handa wrote:
> > On Tue, Dec 12, 2017 at 2:06 PM, Eric Biggers <ebiggers3@...il.com> wrote:
> > > I'm not sure what the fix will be.  Maybe the proc handlers should take a
> > > different lock instead of cred_guard_mutex.  Or perhaps execve should check that
> > > the file is a regular file before it attempts to open it.
> > 
> > We can easily distinguish open() from execve() and open() from others. ;-)
> 
> > +	/* The file or a script interpreter has to be a regular file. */
> > +	if (unlikely(current->in_execve && !S_ISREG(inode->i_mode))) {
> > +		error = -EACCES;
> > +		goto cleanup_file;
> > +	}
> 
> We are *NOT* going to use current->in_execve to propagate that information.

You mean check FMODE_EXEC instead of current->in_execve ?

>From f80b32e1c3fbd65672387ee441a32ab58db456f8 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Date: Tue, 22 Jan 2019 09:34:35 +0900
Subject: [PATCH v2] fs: Allow opening only regular files during execve().

syzbot is hitting lockdep warning [1] due to trying to open a fifo during
an execve() operation. But we don't need to open non regular files during
an execve() operation, for all files which we will need are the executable
file itself and the interpreter programs like /bin/sh and ld-linux.so.2 .

Since the manpage for execve(2) says that execve() returns EACCES when
the file or a script interpreter is not a regular file, and the manpage
for uselib(2) says that uselib() can return EACCES, and we use FMODE_EXEC
when opening for execve()/uselib(), let's bail out if a non regular file
is requested with FMODE_EXEC set.

[1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce

Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@...kaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
---
 fs/open.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/open.c b/fs/open.c
index 0285ce7..ee719c2 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f,
 		return 0;
 	}
 
+	/* Any file opened for execve()/uselib() has to be a regular file. */
+	if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) {
+		error = -EACCES;
+		goto cleanup_file;
+	}
+
 	if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
 		error = get_write_access(inode);
 		if (unlikely(error))
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ