lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241117091313.10251-1-stsp2@yandex.ru>
Date: Sun, 17 Nov 2024 12:13:13 +0300
From: Stas Sergeev <stsp2@...dex.ru>
To: linux-kernel@...r.kernel.org
Cc: Stas Sergeev <stsp2@...dex.ru>,
	Alexander Mikhalitsyn <alexander@...alicyn.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Christian Brauner <brauner@...nel.org>,
	Kees Cook <kees@...nel.org>,
	Kuniyuki Iwashima <kuniyu@...zon.com>,
	netdev@...r.kernel.org
Subject: [PATCH net v2] scm: fix negative fds with SO_PASSPIDFD

pidfd_prepare() can return negative values as an error codes.
But scm_pidfd_recv() didn't check for that condition.
As the result, it is possible to create the race that leads to
the negative fds. The race happens if the peer process sends
something to SO_PASSPIDFD-enabled recipient, and quickly exits.
pidfd_prepare() has this code:

    if (!pid || !pid_has_task(pid, thread ? PIDTYPE_PID : PIDTYPE_TGID))
            return -EINVAL;

So if you exit quickly enough, you can hit that EINVAL.
Getting the fd=-22 is very weird, if not exploitable.

This patch adds the missing check and sets MSG_CTRUNC on error.
Recipient can now detect an error by checking this flag.

Changes in v2: add Fixes tag

Signed-off-by: Stas Sergeev <stsp2@...dex.ru>

Fixes: 5e2ff6704a2 ("scm: add SO_PASSPIDFD and SCM_PIDFD")

CC: Alexander Mikhalitsyn <alexander@...alicyn.com>
CC: "David S. Miller" <davem@...emloft.net>
CC: Eric Dumazet <edumazet@...gle.com>
CC: Jakub Kicinski <kuba@...nel.org>
CC: Paolo Abeni <pabeni@...hat.com>
CC: Simon Horman <horms@...nel.org>
CC: Christian Brauner <brauner@...nel.org>
CC: Kees Cook <kees@...nel.org>
CC: Kuniyuki Iwashima <kuniyu@...zon.com>
CC: netdev@...r.kernel.org
CC: linux-kernel@...r.kernel.org
---
 include/net/scm.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/net/scm.h b/include/net/scm.h
index 0d35c7c77a74..3ccf8546c506 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -155,6 +155,10 @@ static __inline__ void scm_pidfd_recv(struct msghdr *msg, struct scm_cookie *scm
 		return;
 
 	pidfd = pidfd_prepare(scm->pid, 0, &pidfd_file);
+	if (pidfd < 0) {
+		msg->msg_flags |= MSG_CTRUNC;
+		return;
+	}
 
 	if (put_cmsg(msg, SOL_SOCKET, SCM_PIDFD, sizeof(int), &pidfd)) {
 		if (pidfd_file) {
-- 
2.47.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ