From patchwork Wed Jan 25 21:06:52 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Lutomirski <luto@kernel.org>
X-Patchwork-Id: 9537947
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	077C96046A for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 25 Jan 2017 21:07:32 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EC46627FBC
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 25 Jan 2017 21:07:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E0BFE27FC0; Wed, 25 Jan 2017 21:07:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 902B61FF60
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 25 Jan 2017 21:07:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752050AbdAYVHN (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Wed, 25 Jan 2017 16:07:13 -0500
Received: from mail.kernel.org ([198.145.29.136]:58468 "EHLO mail.kernel.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751254AbdAYVHL (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Wed, 25 Jan 2017 16:07:11 -0500
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 4FB43203F4;
	Wed, 25 Jan 2017 21:07:05 +0000 (UTC)
Received: from localhost (c-71-202-137-17.hsd1.ca.comcast.net
	[71.202.137.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 44E51203AD;
	Wed, 25 Jan 2017 21:07:04 +0000 (UTC)
From: Andy Lutomirski <luto@kernel.org>
To: security@kernel.org
Cc: Konstantin Khlebnikov <koct9i@gmail.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Kees Cook <keescook@chromium.org>, Willy Tarreau <w@1wt.eu>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	yalin wang <yalin.wang2010@gmail.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Jan Kara <jack@suse.cz>, Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	Andy Lutomirski <luto@kernel.org>
Subject: [PATCH 2/2] fs: Harden against open(..., O_CREAT,
	02777) in a setgid directory
Date: Wed, 25 Jan 2017 13:06:52 -0800
Message-Id: 
 <826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org>
X-Mailer: git-send-email 2.9.3
In-Reply-To: <cover.1485377903.git.luto@kernel.org>
References: <cover.1485377903.git.luto@kernel.org>
In-Reply-To: <cover.1485377903.git.luto@kernel.org>
References: <cover.1485377903.git.luto@kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Currently, if you open("foo", O_WRONLY | O_CREAT | ..., 02777) in a
directory that is setgid and owned by a different gid than current's
fsgid, you end up with an SGID executable that is owned by the
directory's GID.  This is a Bad Thing (tm).  Exploiting this is
nontrivial because most ways of creating a new file create an empty
file and empty executables aren't particularly interesting, but this
is nevertheless quite dangerous.

Harden against this type of attack by detecting this particular
corner case (unprivileged program creates SGID executable inode in
SGID directory owned by a different GID) and clearing the new
inode's SGID bit.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 fs/inode.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/fs/inode.c b/fs/inode.c
index f7029c40cfbd..d7e4b80470dd 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -2007,11 +2007,28 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
 {
 	inode->i_uid = current_fsuid();
 	if (dir && dir->i_mode & S_ISGID) {
+		bool changing_gid = !gid_eq(inode->i_gid, dir->i_gid);
+
 		inode->i_gid = dir->i_gid;
-		if (S_ISDIR(mode))
+		if (S_ISDIR(mode)) {
 			mode |= S_ISGID;
-	} else
+		} else if (((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
+			   && S_ISREG(mode) && changing_gid
+			   && !capable(CAP_FSETID)) {
+			/*
+			 * Whoa there!  An unprivileged program just
+			 * tried to create a new executable with SGID
+			 * set in a directory with SGID set that belongs
+			 * to a different group.  Don't let this program
+			 * create a SGID executable that ends up owned
+			 * by the wrong group.
+			 */
+			mode &= ~S_ISGID;
+		}
+
+	} else {
 		inode->i_gid = current_fsgid();
+	}
 	inode->i_mode = mode;
 }
 EXPORT_SYMBOL(inode_init_owner);