fs: Allow opening only regular files during execve().

Message ID	d1e2488f-a969-30d4-5023-6fa85a4e3833@I-love.SAKURA.ne.jp (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Subject: [PATCH] fs: Allow opening only regular files during execve(). To: Eric Biggers <ebiggers3@gmail.com>, Al Viro <viro@zeniv.linux.org.uk> Cc: Dmitry Vyukov <dvyukov@google.com>, Kees Cook <keescook@chromium.org>, syzbot <bot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>, "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, syzkaller-bugs <syzkaller-bugs@googlegroups.com> References: <001a113f711ae2110c055f45acb8@google.com> <20171212220647.GJ185376@gmail.com> <CAGXu5jLcuE-h9V04fTtoSfz9mZdVeH1zfJOpRncK2NZkv2gsnQ@mail.gmail.com> <CACT4Y+aeSz05wDyStT75OFFi_aTyxbfzz7Z6jJ6FJsLNN3Pdtg@mail.gmail.com> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Message-ID: <d1e2488f-a969-30d4-5023-6fa85a4e3833@I-love.SAKURA.ne.jp> Date: Mon, 21 Jan 2019 19:14:39 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <CACT4Y+aeSz05wDyStT75OFFi_aTyxbfzz7Z6jJ6FJsLNN3Pdtg@mail.gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk
Series	fs: Allow opening only regular files during execve(). \| expand fs: Allow opening only regular files during execve().

Message ID

d1e2488f-a969-30d4-5023-6fa85a4e3833@I-love.SAKURA.ne.jp (mailing list archive)

State

New, archived

Headers

Subject: [PATCH] fs: Allow opening only regular files during execve().
To: Eric Biggers <ebiggers3@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Vyukov <dvyukov@google.com>,
        Kees Cook <keescook@chromium.org>,
        syzbot
        <bot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>,
        "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
References: <001a113f711ae2110c055f45acb8@google.com>
 <20171212220647.GJ185376@gmail.com>
 <CAGXu5jLcuE-h9V04fTtoSfz9mZdVeH1zfJOpRncK2NZkv2gsnQ@mail.gmail.com>
 <CACT4Y+aeSz05wDyStT75OFFi_aTyxbfzz7Z6jJ6FJsLNN3Pdtg@mail.gmail.com>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Message-ID: <d1e2488f-a969-30d4-5023-6fa85a4e3833@I-love.SAKURA.ne.jp>
Date: Mon, 21 Jan 2019 19:14:39 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: 
 <CACT4Y+aeSz05wDyStT75OFFi_aTyxbfzz7Z6jJ6FJsLNN3Pdtg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Series

fs: Allow opening only regular files during execve(). | expand

Commit Message

Tetsuo Handa Jan. 21, 2019, 10:14 a.m. UTC

On Tue, Dec 12, 2017 at 2:06 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> I'm not sure what the fix will be.  Maybe the proc handlers should take a
> different lock instead of cred_guard_mutex.  Or perhaps execve should check that
> the file is a regular file before it attempts to open it.

We can easily distinguish open() from execve() and open() from others. ;-)

From a8c559566f743eeec31c3cf5bab7a90b1ff7f78b Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 21 Jan 2019 13:55:11 +0900
Subject: [PATCH] fs: Allow opening only regular files during execve().

syzbot is hitting lockdep warning [1] due to trying to open a fifo during
an execve() operation. But we don't need to open non regular files during
an execve() operation, for all files which we will need are the executable
file itself, the interpreter program, and libraries like ld-linux.so.2
required by the executable file or the interpreter program.

Since the manpage for execve(2) says that execve() returns EACCES when
the file or a script interpreter is not a regular file, and we set
current->in_execve flag during an execve() operation, let's bail out
when current thread tried to open a non regular file during an execve()
operation.

[1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce

Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 fs/open.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Kees Cook Jan. 21, 2019, 8:24 p.m. UTC | #1

On Mon, Jan 21, 2019 at 11:15 PM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> On Tue, Dec 12, 2017 at 2:06 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > I'm not sure what the fix will be.  Maybe the proc handlers should take a
> > different lock instead of cred_guard_mutex.  Or perhaps execve should check that
> > the file is a regular file before it attempts to open it.
>
> We can easily distinguish open() from execve() and open() from others. ;-)
>
> From a8c559566f743eeec31c3cf5bab7a90b1ff7f78b Mon Sep 17 00:00:00 2001
> From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Mon, 21 Jan 2019 13:55:11 +0900
> Subject: [PATCH] fs: Allow opening only regular files during execve().
>
> syzbot is hitting lockdep warning [1] due to trying to open a fifo during
> an execve() operation. But we don't need to open non regular files during
> an execve() operation, for all files which we will need are the executable
> file itself, the interpreter program, and libraries like ld-linux.so.2
> required by the executable file or the interpreter program.
>
> Since the manpage for execve(2) says that execve() returns EACCES when
> the file or a script interpreter is not a regular file, and we set
> current->in_execve flag during an execve() operation, let's bail out
> when current thread tried to open a non regular file during an execve()
> operation.
>
> [1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce
>
> Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

I like it!

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  fs/open.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/fs/open.c b/fs/open.c
> index 0285ce7dbd51..b2e7b04ade46 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f,
>                 return 0;
>         }
>
> +       /* The file or a script interpreter has to be a regular file. */
> +       if (unlikely(current->in_execve && !S_ISREG(inode->i_mode))) {
> +               error = -EACCES;
> +               goto cleanup_file;
> +       }
> +
>         if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
>                 error = get_write_access(inode);
>                 if (unlikely(error))
> --
> 2.17.1

Al Viro Jan. 21, 2019, 9:18 p.m. UTC | #2

On Mon, Jan 21, 2019 at 07:14:39PM +0900, Tetsuo Handa wrote:
> On Tue, Dec 12, 2017 at 2:06 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > I'm not sure what the fix will be.  Maybe the proc handlers should take a
> > different lock instead of cred_guard_mutex.  Or perhaps execve should check that
> > the file is a regular file before it attempts to open it.
> 
> We can easily distinguish open() from execve() and open() from others. ;-)

> +	/* The file or a script interpreter has to be a regular file. */
> +	if (unlikely(current->in_execve && !S_ISREG(inode->i_mode))) {
> +		error = -EACCES;
> +		goto cleanup_file;
> +	}

We are *NOT* going to use current->in_execve to propagate that information.
Come up with a cleaner solution, if you care, but this one is a non-starter.
Too ugly to live.  Sorry.

Kees Cook Jan. 22, 2019, 12:51 a.m. UTC | #3

On Tue, Jan 22, 2019 at 10:18 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Mon, Jan 21, 2019 at 07:14:39PM +0900, Tetsuo Handa wrote:
> > On Tue, Dec 12, 2017 at 2:06 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > > I'm not sure what the fix will be.  Maybe the proc handlers should take a
> > > different lock instead of cred_guard_mutex.  Or perhaps execve should check that
> > > the file is a regular file before it attempts to open it.
> >
> > We can easily distinguish open() from execve() and open() from others. ;-)
>
> > +     /* The file or a script interpreter has to be a regular file. */
> > +     if (unlikely(current->in_execve && !S_ISREG(inode->i_mode))) {
> > +             error = -EACCES;
> > +             goto cleanup_file;
> > +     }
>
> We are *NOT* going to use current->in_execve to propagate that information.
> Come up with a cleaner solution, if you care, but this one is a non-starter.
> Too ugly to live.  Sorry.

What would you suggest for a cleaner indication of being in an execve?

diff --git a/fs/open.c b/fs/open.c
index 0285ce7dbd51..b2e7b04ade46 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -733,6 +733,12 @@  static int do_dentry_open(struct file *f,
 		return 0;
 	}
 
+	/* The file or a script interpreter has to be a regular file. */
+	if (unlikely(current->in_execve && !S_ISREG(inode->i_mode))) {
+		error = -EACCES;
+		goto cleanup_file;
+	}
+
 	if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
 		error = get_write_access(inode);
 		if (unlikely(error))

fs: Allow opening only regular files during execve().

Commit Message

Comments

Patch