mirror of
https://github.com/torvalds/linux.git
synced 2024-11-27 14:41:39 +00:00
caaee6234d
By checking the effective credentials instead of the real UID / permitted capabilities, ensure that the calling process actually intended to use its credentials. To ensure that all ptrace checks use the correct caller credentials (e.g. in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS flag), use two new flags and require one of them to be set. The problem was that when a privileged task had temporarily dropped its privileges, e.g. by calling setreuid(0, user_uid), with the intent to perform following syscalls with the credentials of a user, it still passed ptrace access checks that the user would not be able to pass. While an attacker should not be able to convince the privileged task to perform a ptrace() syscall, this is a problem because the ptrace access check is reused for things in procfs. In particular, the following somewhat interesting procfs entries only rely on ptrace access checks: /proc/$pid/stat - uses the check for determining whether pointers should be visible, useful for bypassing ASLR /proc/$pid/maps - also useful for bypassing ASLR /proc/$pid/cwd - useful for gaining access to restricted directories that contain files with lax permissions, e.g. in this scenario: lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar drwx------ root root /root drwxr-xr-x root root /root/foobar -rw-r--r-- root root /root/foobar/secret Therefore, on a system where a root-owned mode 6755 binary changes its effective credentials as described and then dumps a user-specified file, this could be used by an attacker to reveal the memory layout of root's processes or reveal the contents of files he is not allowed to access (through /proc/$pid/cwd). [akpm@linux-foundation.org: fix warning] Signed-off-by: Jann Horn <jann@thejh.net> Acked-by: Kees Cook <keescook@chromium.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: James Morris <james.l.morris@oracle.com> Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com> Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
202 lines
4.5 KiB
C
202 lines
4.5 KiB
C
/*
|
|
* linux/kernel/futex_compat.c
|
|
*
|
|
* Futex compatibililty routines.
|
|
*
|
|
* Copyright 2006, Red Hat, Inc., Ingo Molnar
|
|
*/
|
|
|
|
#include <linux/linkage.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/futex.h>
|
|
#include <linux/ptrace.h>
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
|
|
/*
|
|
* Fetch a robust-list pointer. Bit 0 signals PI futexes:
|
|
*/
|
|
static inline int
|
|
fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
|
|
compat_uptr_t __user *head, unsigned int *pi)
|
|
{
|
|
if (get_user(*uentry, head))
|
|
return -EFAULT;
|
|
|
|
*entry = compat_ptr((*uentry) & ~1);
|
|
*pi = (unsigned int)(*uentry) & 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void __user *futex_uaddr(struct robust_list __user *entry,
|
|
compat_long_t futex_offset)
|
|
{
|
|
compat_uptr_t base = ptr_to_compat(entry);
|
|
void __user *uaddr = compat_ptr(base + futex_offset);
|
|
|
|
return uaddr;
|
|
}
|
|
|
|
/*
|
|
* Walk curr->robust_list (very carefully, it's a userspace list!)
|
|
* and mark any locks found there dead, and notify any waiters.
|
|
*
|
|
* We silently return on any sign of list-walking problem.
|
|
*/
|
|
void compat_exit_robust_list(struct task_struct *curr)
|
|
{
|
|
struct compat_robust_list_head __user *head = curr->compat_robust_list;
|
|
struct robust_list __user *entry, *next_entry, *pending;
|
|
unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
|
|
unsigned int uninitialized_var(next_pi);
|
|
compat_uptr_t uentry, next_uentry, upending;
|
|
compat_long_t futex_offset;
|
|
int rc;
|
|
|
|
if (!futex_cmpxchg_enabled)
|
|
return;
|
|
|
|
/*
|
|
* Fetch the list head (which was registered earlier, via
|
|
* sys_set_robust_list()):
|
|
*/
|
|
if (fetch_robust_entry(&uentry, &entry, &head->list.next, &pi))
|
|
return;
|
|
/*
|
|
* Fetch the relative futex offset:
|
|
*/
|
|
if (get_user(futex_offset, &head->futex_offset))
|
|
return;
|
|
/*
|
|
* Fetch any possibly pending lock-add first, and handle it
|
|
* if it exists:
|
|
*/
|
|
if (fetch_robust_entry(&upending, &pending,
|
|
&head->list_op_pending, &pip))
|
|
return;
|
|
|
|
next_entry = NULL; /* avoid warning with gcc */
|
|
while (entry != (struct robust_list __user *) &head->list) {
|
|
/*
|
|
* Fetch the next entry in the list before calling
|
|
* handle_futex_death:
|
|
*/
|
|
rc = fetch_robust_entry(&next_uentry, &next_entry,
|
|
(compat_uptr_t __user *)&entry->next, &next_pi);
|
|
/*
|
|
* A pending lock might already be on the list, so
|
|
* dont process it twice:
|
|
*/
|
|
if (entry != pending) {
|
|
void __user *uaddr = futex_uaddr(entry, futex_offset);
|
|
|
|
if (handle_futex_death(uaddr, curr, pi))
|
|
return;
|
|
}
|
|
if (rc)
|
|
return;
|
|
uentry = next_uentry;
|
|
entry = next_entry;
|
|
pi = next_pi;
|
|
/*
|
|
* Avoid excessively long or circular lists:
|
|
*/
|
|
if (!--limit)
|
|
break;
|
|
|
|
cond_resched();
|
|
}
|
|
if (pending) {
|
|
void __user *uaddr = futex_uaddr(pending, futex_offset);
|
|
|
|
handle_futex_death(uaddr, curr, pip);
|
|
}
|
|
}
|
|
|
|
COMPAT_SYSCALL_DEFINE2(set_robust_list,
|
|
struct compat_robust_list_head __user *, head,
|
|
compat_size_t, len)
|
|
{
|
|
if (!futex_cmpxchg_enabled)
|
|
return -ENOSYS;
|
|
|
|
if (unlikely(len != sizeof(*head)))
|
|
return -EINVAL;
|
|
|
|
current->compat_robust_list = head;
|
|
|
|
return 0;
|
|
}
|
|
|
|
COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
|
|
compat_uptr_t __user *, head_ptr,
|
|
compat_size_t __user *, len_ptr)
|
|
{
|
|
struct compat_robust_list_head __user *head;
|
|
unsigned long ret;
|
|
struct task_struct *p;
|
|
|
|
if (!futex_cmpxchg_enabled)
|
|
return -ENOSYS;
|
|
|
|
rcu_read_lock();
|
|
|
|
ret = -ESRCH;
|
|
if (!pid)
|
|
p = current;
|
|
else {
|
|
p = find_task_by_vpid(pid);
|
|
if (!p)
|
|
goto err_unlock;
|
|
}
|
|
|
|
ret = -EPERM;
|
|
if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
|
|
goto err_unlock;
|
|
|
|
head = p->compat_robust_list;
|
|
rcu_read_unlock();
|
|
|
|
if (put_user(sizeof(*head), len_ptr))
|
|
return -EFAULT;
|
|
return put_user(ptr_to_compat(head), head_ptr);
|
|
|
|
err_unlock:
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
|
}
|
|
|
|
COMPAT_SYSCALL_DEFINE6(futex, u32 __user *, uaddr, int, op, u32, val,
|
|
struct compat_timespec __user *, utime, u32 __user *, uaddr2,
|
|
u32, val3)
|
|
{
|
|
struct timespec ts;
|
|
ktime_t t, *tp = NULL;
|
|
int val2 = 0;
|
|
int cmd = op & FUTEX_CMD_MASK;
|
|
|
|
if (utime && (cmd == FUTEX_WAIT || cmd == FUTEX_LOCK_PI ||
|
|
cmd == FUTEX_WAIT_BITSET ||
|
|
cmd == FUTEX_WAIT_REQUEUE_PI)) {
|
|
if (compat_get_timespec(&ts, utime))
|
|
return -EFAULT;
|
|
if (!timespec_valid(&ts))
|
|
return -EINVAL;
|
|
|
|
t = timespec_to_ktime(ts);
|
|
if (cmd == FUTEX_WAIT)
|
|
t = ktime_add_safe(ktime_get(), t);
|
|
tp = &t;
|
|
}
|
|
if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
|
|
cmd == FUTEX_CMP_REQUEUE_PI || cmd == FUTEX_WAKE_OP)
|
|
val2 = (int) (unsigned long) utime;
|
|
|
|
return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
|
|
}
|