Re: [tip:core/locking] futex: Do not leak robust list to unprivileged process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On 03/29/2012 05:55 PM, tip-bot for Kees Cook wrote:
> Commit-ID:  bdbb776f882f5ad431aa1e694c69c1c3d6a4a5b8
> Gitweb:     http://git.kernel.org/tip/bdbb776f882f5ad431aa1e694c69c1c3d6a4a5b8
> Author:     Kees Cook <keescook@xxxxxxxxxxxx>
> AuthorDate: Mon, 19 Mar 2012 16:12:53 -0700
> Committer:  Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> CommitDate: Thu, 29 Mar 2012 11:37:17 +0200
> 
> futex: Do not leak robust list to unprivileged process
> 
> It was possible to extract the robust list head address from a setuid
> process if it had used set_robust_list(), allowing an ASLR info leak. This
> changes the permission checks to be the same as those used for similar
> info that comes out of /proc.
> 
> Running a setuid program that uses robust futexes would have had:
>   cred->euid != pcred->euid
>   cred->euid == pcred->uid
> so the old permissions check would allow it. I'm not aware of any setuid
> programs that use robust futexes, so this is just a preventative measure.
> 

I'm not sure this change prevents the unprivileged process.
Please refer to LTP test, recently I saw that this change broke
the following test.

https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/get_robust_list/get_robust_list01.c#L155
		if (seteuid(1) == -1)
			tst_brkm(TBROK|TERRNO, cleanup, "seteuid(1) failed");

		TEST(retval = syscall(__NR_get_robust_list, 1,
				      (struct robust_list_head *)&head,
				      &len_ptr));

We set the euid to an unprivileged user, and expect to FAIL with EPERM,
without this patch, it FAIL as we expected, but with it, this call succeed.

Seems that we leaked the check of (cred->euid == pcred->euid && cred->euid == pcred->uid),
I'm not sure which one is right, can you please give an explanation?


Thanks in advance,
Wanlong Gao

> (This patch is based on changes from grsecurity.)
> 
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Darren Hart <dvhart@xxxxxxxxxxxxxxx>
> Cc: Peter Zijlstra <a.p.zijlstra@xxxxxxxxx>
> Cc: Jiri Kosina <jkosina@xxxxxxx>
> Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Cc: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> Cc: kernel-hardening@xxxxxxxxxxxxxxxxxx
> Cc: spender@xxxxxxxxxxxxxx
> Link: http://lkml.kernel.org/r/20120319231253.GA20893@xxxxxxxxxxxxxxx
> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> ---
>  kernel/futex.c        |   36 +++++++++++++-----------------------
>  kernel/futex_compat.c |   36 +++++++++++++-----------------------
>  2 files changed, 26 insertions(+), 46 deletions(-)
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index 72efa1e..d701be5 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -59,6 +59,7 @@
>  #include <linux/magic.h>
>  #include <linux/pid.h>
>  #include <linux/nsproxy.h>
> +#include <linux/ptrace.h>
>  
>  #include <asm/futex.h>
>  
> @@ -2443,40 +2444,29 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
>  {
>  	struct robust_list_head __user *head;
>  	unsigned long ret;
> -	const struct cred *cred = current_cred(), *pcred;
> +	struct task_struct *p;
>  
>  	if (!futex_cmpxchg_enabled)
>  		return -ENOSYS;
>  
> +	rcu_read_lock();
> +
> +	ret = -ESRCH;
>  	if (!pid)
> -		head = current->robust_list;
> +		p = current;
>  	else {
> -		struct task_struct *p;
> -
> -		ret = -ESRCH;
> -		rcu_read_lock();
>  		p = find_task_by_vpid(pid);
>  		if (!p)
>  			goto err_unlock;
> -		ret = -EPERM;
> -		pcred = __task_cred(p);
> -		/* If victim is in different user_ns, then uids are not
> -		   comparable, so we must have CAP_SYS_PTRACE */
> -		if (cred->user->user_ns != pcred->user->user_ns) {
> -			if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> -				goto err_unlock;
> -			goto ok;
> -		}
> -		/* If victim is in same user_ns, then uids are comparable */
> -		if (cred->euid != pcred->euid &&
> -		    cred->euid != pcred->uid &&
> -		    !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> -			goto err_unlock;
> -ok:
> -		head = p->robust_list;
> -		rcu_read_unlock();
>  	}
>  
> +	ret = -EPERM;
> +	if (!ptrace_may_access(p, PTRACE_MODE_READ))
> +		goto err_unlock;
> +
> +	head = p->robust_list;
> +	rcu_read_unlock();
> +
>  	if (put_user(sizeof(*head), len_ptr))
>  		return -EFAULT;
>  	return put_user(head, head_ptr);
> diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
> index 5f9e689..a9642d5 100644
> --- a/kernel/futex_compat.c
> +++ b/kernel/futex_compat.c
> @@ -10,6 +10,7 @@
>  #include <linux/compat.h>
>  #include <linux/nsproxy.h>
>  #include <linux/futex.h>
> +#include <linux/ptrace.h>
>  
>  #include <asm/uaccess.h>
>  
> @@ -136,40 +137,29 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
>  {
>  	struct compat_robust_list_head __user *head;
>  	unsigned long ret;
> -	const struct cred *cred = current_cred(), *pcred;
> +	struct task_struct *p;
>  
>  	if (!futex_cmpxchg_enabled)
>  		return -ENOSYS;
>  
> +	rcu_read_lock();
> +
> +	ret = -ESRCH;
>  	if (!pid)
> -		head = current->compat_robust_list;
> +		p = current;
>  	else {
> -		struct task_struct *p;
> -
> -		ret = -ESRCH;
> -		rcu_read_lock();
>  		p = find_task_by_vpid(pid);
>  		if (!p)
>  			goto err_unlock;
> -		ret = -EPERM;
> -		pcred = __task_cred(p);
> -		/* If victim is in different user_ns, then uids are not
> -		   comparable, so we must have CAP_SYS_PTRACE */
> -		if (cred->user->user_ns != pcred->user->user_ns) {
> -			if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> -				goto err_unlock;
> -			goto ok;
> -		}
> -		/* If victim is in same user_ns, then uids are comparable */
> -		if (cred->euid != pcred->euid &&
> -		    cred->euid != pcred->uid &&
> -		    !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> -			goto err_unlock;
> -ok:
> -		head = p->compat_robust_list;
> -		rcu_read_unlock();
>  	}
>  
> +	ret = -EPERM;
> +	if (!ptrace_may_access(p, PTRACE_MODE_READ))
> +		goto err_unlock;
> +
> +	head = p->compat_robust_list;
> +	rcu_read_unlock();
> +
>  	if (put_user(sizeof(*head), len_ptr))
>  		return -EFAULT;
>  	return put_user(ptr_to_compat(head), head_ptr);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Other Archives]     [Linux Kernel Newbies]     [Linux Driver Development]     [Linux Kbuild]     [Fedora Kernel]     [Linux Kernel Testers]     [Linux SH]     [Linux Omap]     [Linux Tape]     [Linux Input]     [Linux Kernel Janitors]     [Linux Kernel Packagers]     [Linux Doc]     [Linux Man Pages]     [Linux API]     [Linux Memory Management]     [Linux Modules]     [Linux Standards]     [Kernel Announce]     [Netdev]     [Git]     [Linux PCI]     Linux CAN Development     [Linux I2C]     [Linux RDMA]     [Linux NUMA]     [Netfilter]     [Netfilter Devel]     [SELinux]     [Bugtraq]     [FIO]     [Linux Perf Users]     [Linux Serial]     [Linux PPP]     [Linux ISDN]     [Linux Next]     [Kernel Stable Commits]     [Linux Tip Commits]     [Kernel MM Commits]     [Linux Security Module]     [AutoFS]     [Filesystem Development]     [Ext3 Filesystem]     [Linux bcache]     [Ext4 Filesystem]     [Linux BTRFS]     [Linux CEPH Filesystem]     [Linux XFS]     [XFS]     [Linux NFS]     [Linux CIFS]     [Ecryptfs]     [Linux NILFS]     [Linux Cachefs]     [Reiser FS]     [Initramfs]     [Linux FB Devel]     [Linux OpenGL]     [DRI Devel]     [Fastboot]     [Linux RT Users]     [Linux RT Stable]     [eCos]     [Corosync]     [Linux Clusters]     [LVS Devel]     [Hot Plug]     [Linux Virtualization]     [KVM]     [KVM PPC]     [KVM ia64]     [Linux Containers]     [Linux Hexagon]     [Linux Cgroups]     [Util Linux]     [Wireless]     [Linux Bluetooth]     [Bluez Devel]     [Ethernet Bridging]     [Embedded Linux]     [Barebox]     [Linux MMC]     [Linux IIO]     [Sparse]     [Smatch]     [Linux Arch]     [x86 Platform Driver]     [Linux ACPI]     [Linux IBM ACPI]     [LM Sensors]     [CPU Freq]     [Linux Power Management]     [Linmodems]     [Linux DCCP]     [Linux SCTP]     [ALSA Devel]     [Linux USB]     [Linux PA RISC]     [Linux Samsung SOC]     [MIPS Linux]     [IBM S/390 Linux]     [ARM Linux]     [ARM Kernel]     [ARM MSM]     [Tegra Devel]     [Sparc Linux]     [Linux Security]     [Linux Sound]     [Linux Media]     [Video 4 Linux]     [Linux IRDA Users]     [Linux for the blind]     [Linux RAID]     [Linux ATA RAID]     [Device Mapper]     [Linux SCSI]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Linux IDE]     [Linux SMP]     [Linux AXP]     [Linux Alpha]     [Linux M68K]     [Linux ia64]     [Linux 8086]     [Linux x86_64]     [Linux Config]     [Linux Apps]     [Linux MSDOS]     [Linux X.25]     [Linux Crypto]     [DM Crypt]     [Linux Trace Users]     [Linux Btrace]     [Linux Watchdog]     [Utrace Devel]     [Linux C Programming]     [Linux Assembly]     [Dash]     [DWARVES]     [Hail Devel]     [Linux Kernel Debugger]     [Linux gcc]     [Gcc Help]     [X.Org]     [Wine]

Add to Google Powered by Linux

[Older Kernel Discussion]     [Yosemite National Park Forum]     [Large Format Photos]     [Gimp]     [Yosemite Photos]     [Stuff]