From patchwork Fri Nov 20 00:10:43 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 7662681
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 4C0B29F392
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Fri, 20 Nov 2015 00:17:21 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 87F8E2042A
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Fri, 20 Nov 2015 00:17:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A307F203B6
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Fri, 20 Nov 2015 00:17:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1161702AbbKTARJ (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Thu, 19 Nov 2015 19:17:09 -0500
Received: from smtp.outflux.net ([198.145.64.163]:45341 "EHLO
	smtp.outflux.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1161640AbbKTARH (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 19 Nov 2015 19:17:07 -0500
X-Greylist: delayed 331 seconds by postgrey-1.27 at vger.kernel.org;
	Thu, 19 Nov 2015 19:17:07 EST
Received: from www.outflux.net (serenity.outflux.net [10.2.0.2])
	by vinyl.outflux.net (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id
	tAK0Ai4O020697; Thu, 19 Nov 2015 16:10:45 -0800
Date: Thu, 19 Nov 2015 16:10:43 -0800
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Dave Chinner <david@fromorbit.com>,
	Andy Lutomirski <luto@amacapital.net>, Jan Kara <jack@suse.cz>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Mel Gorman <mgorman@suse.de>, Johannes Weiner <hannes@cmpxchg.org>,
	Rik van Riel <riel@redhat.com>, Matthew Wilcox <willy@linux.intel.com>,
	Shachar Raindel <raindel@mellanox.com>,
	Boaz Harrosh <boaz@plexistor.com>, Michal Hocko <mhocko@suse.cz>,
	Haggai Eran <haggaie@mellanox.com>,
	Theodore Tso <tytso@google.com>, Willy Tarreau <w@1wt.eu>,
	Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
	Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
	Serge Hallyn <serge.hallyn@ubuntu.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	Serge Hallyn <serge.hallyn@canonical.com>, linux-mm@kvack.org
Subject: [PATCH] fs: clear file set[ug]id when writing via mmap
Message-ID: <20151120001043.GA28204@www.outflux.net>
MIME-Version: 1.0
Content-Disposition: inline
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.73
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Normally, when a user can modify a file that has setuid or setgid bits,
those bits are cleared when they are not the file owner or a member of the
group. This is enforced when using write() directly but not when writing
to a shared mmap on the file. This could allow the file writer to gain
privileges by changing the binary without losing the setuid/setgid bits.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
---
 mm/memory.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/memory.c b/mm/memory.c
index deb679c31f2a..4c970a4e0057 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm,
 
 		if (!page_mkwrite)
 			file_update_time(vma->vm_file);
+		file_remove_privs(vma->vm_file);
 	}
 
 	return VM_FAULT_WRITE;