| Message ID | 20161221052624.16270-1-asarai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Aleksa Sarai <asarai@suse.de> writes: > If you have a process that has set itself to be non-dumpable, and it > then undergoes exec(2), any CLOEXEC file descriptors it has open are > "exposed" during a race window between the dumpable flags of the process > being reset for exec(2) and CLOEXEC being applied to the file > descriptors. This can be exploited by a process by attempting to access > /proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE. > > The race in question is after set_dumpable has been (for get_link, > though the trace is basically the same for readlink): > > [vfs] > -> proc_pid_link_inode_operations.get_link > -> proc_pid_get_link > -> proc_fd_access_allowed > -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); > > Which will return 0, during the race window and CLOEXEC file descriptors > will still be open during this window because do_close_on_exec has not > been called yet. As a result, the ordering of these calls should be > reversed to avoid this race window. > > This is of particular concern to container runtimes, where joining a > PID namespace with file descriptors referring to the host filesystem > can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect > against access of CLOEXEC file descriptors -- file descriptors which may > reference filesystem objects the container shouldn't have access to). That seems reasonable. I was thinking cred_guard_mutex should handle this case, but it obviously won't because only ptrace_attach takes that. Sigh with enough cleanups the code might even become comprehensible and correct in there. I have dropped this onto my for-testing branch for now (so I don't forget it) and after the chaos of the merge window ends I will forward this along. Eric > Cc: dev@opencontainers.org > Cc: <stable@vger.kernel.org> # v3.2+ > Reported-by: Michael Crosby <crosbymichael@gmail.com> > Signed-off-by: Aleksa Sarai <asarai@suse.de> > --- > fs/exec.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 4e497b9ee71e..b0a98ef03253 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -19,7 +19,7 @@ > * current->executable is only used by the procfs. This allows a dispatch > * table to check for several different types of binary formats. We keep > * trying until we recognize the file or we run out of supported binary > - * formats. > + * formats. > */ > > #include <linux/slab.h> > @@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm) > flush_thread(); > current->personality &= ~bprm->per_clear; > > + /* > + * We have to apply CLOEXEC before we change whether the process is > + * dumpable (in setup_new_exec) to avoid a race with a process in userspace > + * trying to access the should-be-closed file descriptors of a process > + * undergoing exec(2). > + */ > + do_close_on_exec(current->files); > return 0; > > out: > @@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm) > group */ > current->self_exec_id++; > flush_signal_handlers(current, 0); > - do_close_on_exec(current->files); > } > EXPORT_SYMBOL(setup_new_exec); -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/exec.c b/fs/exec.c index 4e497b9ee71e..b0a98ef03253 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -19,7 +19,7 @@ * current->executable is only used by the procfs. This allows a dispatch * table to check for several different types of binary formats. We keep * trying until we recognize the file or we run out of supported binary - * formats. + * formats. */ #include <linux/slab.h> @@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm) flush_thread(); current->personality &= ~bprm->per_clear; + /* + * We have to apply CLOEXEC before we change whether the process is + * dumpable (in setup_new_exec) to avoid a race with a process in userspace + * trying to access the should-be-closed file descriptors of a process + * undergoing exec(2). + */ + do_close_on_exec(current->files); return 0; out: @@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm) group */ current->self_exec_id++; flush_signal_handlers(current, 0); - do_close_on_exec(current->files); } EXPORT_SYMBOL(setup_new_exec);
If you have a process that has set itself to be non-dumpable, and it then undergoes exec(2), any CLOEXEC file descriptors it has open are "exposed" during a race window between the dumpable flags of the process being reset for exec(2) and CLOEXEC being applied to the file descriptors. This can be exploited by a process by attempting to access /proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE. The race in question is after set_dumpable has been (for get_link, though the trace is basically the same for readlink): [vfs] -> proc_pid_link_inode_operations.get_link -> proc_pid_get_link -> proc_fd_access_allowed -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); Which will return 0, during the race window and CLOEXEC file descriptors will still be open during this window because do_close_on_exec has not been called yet. As a result, the ordering of these calls should be reversed to avoid this race window. This is of particular concern to container runtimes, where joining a PID namespace with file descriptors referring to the host filesystem can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect against access of CLOEXEC file descriptors -- file descriptors which may reference filesystem objects the container shouldn't have access to). Cc: dev@opencontainers.org Cc: <stable@vger.kernel.org> # v3.2+ Reported-by: Michael Crosby <crosbymichael@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de> --- fs/exec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)