[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKxm1-EFzwbFS73VsriiwZKHJjZZAyvD-WHpFRsWttzhqqMy2Q@mail.gmail.com>
Date: Mon, 24 Jun 2019 19:01:21 +0300
From: Tamir Carmeli <carmeli.tamir@...il.com>
To: viro@...iv.linux.org.uk, Tamir Carmeli <carmeli.tamir@...il.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs/binfmt: Changed order of elf and misc to prevent
privilege escalation
Hi,
I'd appreciate feedback on the patch. Seems like we can solve a stupid
"hiding" technique, more "advanced" than just marking an executable
with suid, that leads to privilege escalation. Please tell me if I
miss something.
On Mon, Jun 17, 2019 at 9:58 PM Carmeli Tamir <carmeli.tamir@...il.com> wrote:
>
> The misc format handler is configured to work in many boards
> and distributions, exposing a volnurability that enables an
> attacker with a temporary root access to configure the system
> to gain a hidden persistent root acces. This can be easily
> demonstrated using https://github.com/toffan/binfmt_misc .
>
> According to binfmt_misc documentation
> (https://lwn.net/Articles/679310/), the handler is used
> to execute more binary formats, e.g. execs compiled
> for different architectures. After this patch, every
> mentioned example in the documentation shall work.
>
> I tested this patch using a "positive example" - running
> and ARM executable on an x86 machine using a qemu-arm misc
> handler, and a "negative example" of running the demostration
> by toffan I mention above. Before the patch both examples
> work, and after the patch only the positive example work
> where the volnurability is prevented.
>
> Signed-off-by: Carmeli Tamir <carmeli.tamir@...il.com>
> ---
> fs/binfmt_elf.c | 2 +-
> fs/binfmt_misc.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index d4e11b2e04f6..3a2afe84943c 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -2411,7 +2411,7 @@ static int elf_core_dump(struct coredump_params *cprm)
>
> static int __init init_elf_binfmt(void)
> {
> - register_binfmt(&elf_format);
> + insert_binfmt(&elf_format);
> return 0;
> }
>
> diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
> index b8e145552ec7..f4a9e1154cae 100644
> --- a/fs/binfmt_misc.c
> +++ b/fs/binfmt_misc.c
> @@ -859,7 +859,7 @@ static int __init init_misc_binfmt(void)
> {
> int err = register_filesystem(&bm_fs_type);
> if (!err)
> - insert_binfmt(&misc_format);
> + register_binfmt(&misc_format);
> return err;
> }
>
> --
> 2.21.0
>
Powered by blists - more mailing lists