| Message ID | 20230713121907.9693-1-cyphar@cyphar.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp1797421vqm;
Thu, 13 Jul 2023 05:46:28 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlEaCar2y2KR+71boK8oN2XIWyRkJ0xbCvdUis0XBtUmFKD3GuX8+upoh8CwxzUpT6E60ynK
X-Received: by 2002:a05:6a00:139c:b0:682:edbe:4cbd with SMTP id
t28-20020a056a00139c00b00682edbe4cbdmr2630351pfg.15.1689252388387;
Thu, 13 Jul 2023 05:46:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689252388; cv=none;
d=google.com; s=arc-20160816;
b=n7KFK9jVmLkpQGkZc8KWQCG7hGqClvjkuOrsCAP0Hnek0FNTKO9LZmVCRk2RabfvEG
PN2U51hE2tBhKUNWUMHOECzOAnqnE7kzmBza36GQsC6xlqMHl9CaDRQ+xkJKJx03kh8L
zypeONNL1H1u7SdbZAf0UqIl0c9Up47GFdOnImXrsNaWY/uyHY2EfmQkGK/svTFORPxB
mmrFaj8Iq3gdmddPhgSbHbZVRmU9QeRM8RHWPkP3FBKlpkq8A1PaKGt6XFBnrFvmA9/O
8vsRIhanT1Hg/k5dJLhXYD8MC6b3znvlttX+IFqnzXGBULuSX1LvtxT3QxO2cpnGMWB5
1cIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=xpxD6jJvH2NdvxBxxbA/xwwWPK026oBkIsxvhSiVppQ=;
fh=v11YTLBCF6J2i39NYsOyk25Ele3+JwZKrKY8qKcpsx4=;
b=yF671S+IbddDPX9g2Oy18oxpa3ML8ogJ7YYsNHkn1XoYQjamIVp2COzNJm/zpZ1AmG
KapzBm0mViYAGy1XOOTkEqoo//5qcLkEy9s/cNf1Vl38DlxYm1TrWwPXuPVa3B+PnjxE
mU5Rd7MgVldemiCsqw33j/+l6RkVhrLlL3cDU+xidsi9mPBk55ZhvZSytqHje9jVgfu+
UFDJR2j0IXTYy+Kcl34RMIS5x+8zBOqbm5oR05EbI3fPxlKY84kTyU8TPFc89F7X1hsM
Pa9iwuK+pEBA72nbPYwrIBwRos6AV57WuSq4neXwg9Gg0bzCxYBs2XUxUliZXlXFQrQz
0kCg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@cyphar.com header.s=MBO0001 header.b=cylZYD1v;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cyphar.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
bq6-20020a056a000e0600b006687ed7b4a5si5089650pfb.140.2023.07.13.05.46.15;
Thu, 13 Jul 2023 05:46:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@cyphar.com header.s=MBO0001 header.b=cylZYD1v;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cyphar.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234654AbjGMMTa (ORCPT <rfc822;ybw1215001957@gmail.com>
+ 99 others); Thu, 13 Jul 2023 08:19:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42586 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234660AbjGMMT1 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 13 Jul 2023 08:19:27 -0400
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D02E2691;
Thu, 13 Jul 2023 05:19:25 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org
[IPv6:2001:67c:2050:b231:465::202])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)
server-digest SHA256)
(No client certificate requested)
by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4R1tvY219Sz9scb;
Thu, 13 Jul 2023 14:19:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar.com; s=MBO0001;
t=1689250761;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=xpxD6jJvH2NdvxBxxbA/xwwWPK026oBkIsxvhSiVppQ=;
b=cylZYD1v3/ux3bOiBo3SI+1bkuoVoVNqjUBtUccqLVf/rjbGuRgjZ0Z6usXEm/u3ktL1v8
71xqGF6BjvRUpF2MnI9/7rMzhIJe/qPc8YUXWpj0UYEfTX9ESVdtOBLWqZLgY7p++dgdWJ
u3LO9hPOjKSXDO1Hdr9TLWSe9AaFE1cVOGBWKLQOC3KS9lCI8780JZMgKP2RRkDvY6wB8k
O/ESIRtcVJZPbUKsdZQMUgeQ8k77eFHC/zczIBMUoA+jhMfQO7oJ+Ey0zEVYj5s+ez7voJ
3U9095AoedknarhqdaeQj74FN+bFWJ21aH9h5d0W5dmoY/1l3hvYwrOffueUmA==
From: Aleksa Sarai <cyphar@cyphar.com>
To: Willy Tarreau <w@1wt.eu>, Shuah Khan <shuah@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
Dave Chinner <dchinner@redhat.com>,
xu xin <cgel.zte@gmail.com>, Al Viro <viro@zeniv.linux.org.uk>,
Stefan Roesch <shr@devkernel.io>,
Aleksa Sarai <cyphar@cyphar.com>,
Zhihao Cheng <chengzhihao1@huawei.com>,
"Liam R. Howlett" <Liam.Howlett@Oracle.com>,
Janis Danisevskis <jdanis@google.com>,
Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: [PATCH] procfs: block chmod on /proc/thread-self/comm
Date: Thu, 13 Jul 2023 22:19:04 +1000
Message-ID: <20230713121907.9693-1-cyphar@cyphar.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4R1tvY219Sz9scb
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771309512561586801
X-GMAIL-MSGID: 1771309512561586801
|
| Series |
procfs: block chmod on /proc/thread-self/comm
|
|
Commit Message
Aleksa Sarai
July 13, 2023, 12:19 p.m. UTC
Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread
cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD,
chmod operations on /proc/thread-self/comm were no longer blocked as
they are on almost all other procfs files.
A very similar situation with /proc/self/environ was used to as a root
exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a
correctness issue.
Ref: https://lwn.net/Articles/191954/
Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files")
Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE")
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
fs/proc/base.c | 3 ++-
tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
Comments
+Cc Thomas Weißschuh <thomas@t-8ch.de> as this seems quite related to his finding about /proc/self/net: https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@weissschuh.net/#b On Thu, Jul 13, 2023 at 10:19:04PM +1000, Aleksa Sarai wrote: > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > chmod operations on /proc/thread-self/comm were no longer blocked as > they are on almost all other procfs files. > > A very similar situation with /proc/self/environ was used to as a root > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > correctness issue. > > Ref: https://lwn.net/Articles/191954/ > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > Cc: stable@vger.kernel.org # v4.7+ > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > --- > fs/proc/base.c | 3 ++- > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..7394229816f3 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > } > > static const struct inode_operations proc_tid_comm_inode_operations = { > - .permission = proc_tid_comm_permission, > + .setattr = proc_setattr, > + .permission = proc_tid_comm_permission, > }; > > /* > diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c > index 486334981e60..08f0969208eb 100644 > --- a/tools/testing/selftests/nolibc/nolibc-test.c > +++ b/tools/testing/selftests/nolibc/nolibc-test.c > @@ -580,6 +580,10 @@ int run_syscall(int min, int max) > CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; > CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; > CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; > + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; > CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; > CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; > CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break; > -- > 2.41.0
On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote: > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > chmod operations on /proc/thread-self/comm were no longer blocked as > they are on almost all other procfs files. > > A very similar situation with /proc/self/environ was used to as a root > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > correctness issue. > > Ref: https://lwn.net/Articles/191954/ > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > Cc: stable@vger.kernel.org # v4.7+ > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > --- > fs/proc/base.c | 3 ++- > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..7394229816f3 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > } > > static const struct inode_operations proc_tid_comm_inode_operations = { > - .permission = proc_tid_comm_permission, > + .setattr = proc_setattr, > + .permission = proc_tid_comm_permission, > }; Given that this seems to be a recurring theme a more systematic aproach would help. Something like the following (untested) patch: diff --git a/fs/proc/base.c b/fs/proc/base.c index 05452c3b9872..b90f2e9cda66 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry, set_nlink(inode, 2); /* Use getattr to fix if necessary */ if (p->iop) inode->i_op = p->iop; + WARN_ON(!inode->i_op->setattr); if (p->fop) inode->i_fop = p->fop; ei->op = p->op; > /* > diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c > index 486334981e60..08f0969208eb 100644 > --- a/tools/testing/selftests/nolibc/nolibc-test.c > +++ b/tools/testing/selftests/nolibc/nolibc-test.c > @@ -580,6 +580,10 @@ int run_syscall(int min, int max) > CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; > CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; > CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; > + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; I'm not a big fan of this, it abuses the nolibc testsuite to test core kernel functionality. If this needs to be tested explicitly there is hopefully a better place. Those existing tests focus on testing functionality provided by nolibc. The test chmod_net just got removed because it suffered from the same bug as /proc/thread-self/comm. > CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; > CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; > CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break; > -- > 2.41.0 >
On Thu, Jul 13, 2023 at 03:01:24PM +0200, Thomas Weißschuh wrote: > On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote: > > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > > chmod operations on /proc/thread-self/comm were no longer blocked as > > they are on almost all other procfs files. > > > > A very similar situation with /proc/self/environ was used to as a root > > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > > correctness issue. > > > > Ref: https://lwn.net/Articles/191954/ > > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > > Cc: stable@vger.kernel.org # v4.7+ > > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > > --- > > fs/proc/base.c | 3 ++- > > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > > 2 files changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/fs/proc/base.c b/fs/proc/base.c > > index 05452c3b9872..7394229816f3 100644 > > --- a/fs/proc/base.c > > +++ b/fs/proc/base.c > > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > > } > > > > static const struct inode_operations proc_tid_comm_inode_operations = { > > - .permission = proc_tid_comm_permission, > > + .setattr = proc_setattr, > > + .permission = proc_tid_comm_permission, > > }; > > Given that this seems to be a recurring theme a more systematic > aproach would help. > > Something like the following (untested) patch: > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..b90f2e9cda66 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry, > set_nlink(inode, 2); /* Use getattr to fix if necessary */ > if (p->iop) > inode->i_op = p->iop; > + WARN_ON(!inode->i_op->setattr); Hm, no. This is hacky. To fix this properly we will need to wean off notify_change() from falling back to simple_setattr() when no i_op->setattr() method is defined. To do that we will have to go through every filesystem and port all that rely on this fallback to set simple_setattr() explicitly as their i_op->setattr() method. Christoph and I just discussed this in relation to another patch. This is a bugfix so it should be as minimal as possible for easy backport.
On 2023-07-13, Willy Tarreau <w@1wt.eu> wrote: > +Cc Thomas Weißschuh <thomas@t-8ch.de> as this seems quite related to > his finding about /proc/self/net: > > https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@weissschuh.net/#b Yeah I saw this patch and (along with an earlier discussion with Christian on the topic of chmod on symlinks -- see [1]) lead us to find that there were three other cases where this happens unintentionally: * /proc/self (on the symlink itself) * /proc/thread-self (on the symlink itself) * /proc/thread-self/comm The first two will be fixed by [1] so fixing them isn't necessary. [1]: https://lore.kernel.org/linux-fsdevel/20230712-vfs-chmod-symlinks-v2-1-08cfb92b61dd@kernel.org/
diff --git a/fs/proc/base.c b/fs/proc/base.c index 05452c3b9872..7394229816f3 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, } static const struct inode_operations proc_tid_comm_inode_operations = { - .permission = proc_tid_comm_permission, + .setattr = proc_setattr, + .permission = proc_tid_comm_permission, }; /* diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c index 486334981e60..08f0969208eb 100644 --- a/tools/testing/selftests/nolibc/nolibc-test.c +++ b/tools/testing/selftests/nolibc/nolibc-test.c @@ -580,6 +580,10 @@ int run_syscall(int min, int max) CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break;