From patchwork Thu Sep 19 08:09:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 13807477 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2F67CE8D5C for ; Thu, 19 Sep 2024 08:09:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D63156B0082; Thu, 19 Sep 2024 04:09:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D13906B0083; Thu, 19 Sep 2024 04:09:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BDA8E6B0085; Thu, 19 Sep 2024 04:09:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id A006F6B0082 for ; Thu, 19 Sep 2024 04:09:17 -0400 (EDT) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 5C143120BB2 for ; Thu, 19 Sep 2024 08:09:17 +0000 (UTC) X-FDA: 82580762754.22.0C4642B Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) by imf30.hostedemail.com (Postfix) with ESMTP id 71E2180018 for ; Thu, 19 Sep 2024 08:09:15 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b="fIs/utMH"; dmarc=pass (policy=none) header.from=paul-moore.com; spf=pass (imf30.hostedemail.com: domain of paul@paul-moore.com designates 209.85.218.42 as permitted sender) smtp.mailfrom=paul@paul-moore.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1726733323; a=rsa-sha256; cv=none; b=iZiJdIh0R3fg07mliVXf4jR4xll7mMnez7bcutJqICF2q4te0np0uw/pVTVN/OK7el03Sm 0xEEfEd3UL3YMjATw3XhvI9F9wOVIE5e0KZSZVEj1revPuxNmnxw9n30s9tII8/FTPyHZG T210jpoyl1cV8AD5kISKvJPYqsRUxoA= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b="fIs/utMH"; dmarc=pass (policy=none) header.from=paul-moore.com; spf=pass (imf30.hostedemail.com: domain of paul@paul-moore.com designates 209.85.218.42 as permitted sender) smtp.mailfrom=paul@paul-moore.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1726733323; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=jAPL0EnLn2sU8hfK5IjCYmts+TpFNl8+U3EIfwL8xNM=; b=XKLonmNPb9APLeLGv+aqdhzG2Dt+C3BOdYjmJwdyNIPgBNMP+imQpnnX4SwdKFUvLLbJm1 BfxuNZR0s7zL39dQc7PGKa21He5xkAF0nK7RKCMuA7tvKD0gVrdntDyLqc58oZB9WoO835 60BTuchSIDrkV4HffJ2p+bXHE6cP6p4= Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-a7aa086b077so66185666b.0 for ; Thu, 19 Sep 2024 01:09:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1726733354; x=1727338154; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jAPL0EnLn2sU8hfK5IjCYmts+TpFNl8+U3EIfwL8xNM=; b=fIs/utMH95cditRCn7sVlbYuqzRKjatwFpPnVfhfkB8z3CyXN0VDvXclqgpTBzuvu8 CDbetNUxqBYvz1kUaaCkYYZnKzXY7fFOrxZQxh6Bjjncn8ZlIx/mGYZw7096sSCjxLzi IvKayBPdild+kVCwmTr3LGZqPgdAlndESX0fujViw4jlJLUffjOKUnJSTP+4B5Hpee9d aC+IlPXz1P+TEOV8jfglQRXOu8bP9deAaBKlfIk/PzBN+RTziEt5MXnZ/XhAmsgCltvG LrxeDh9fEKVywdcrS3ehCh4apdINiGCiEkhCQ5HyHBDa8XYUAL0gNq7jKLFX+HCyQprS 0Qig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726733354; x=1727338154; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jAPL0EnLn2sU8hfK5IjCYmts+TpFNl8+U3EIfwL8xNM=; b=lXmVM6uaL9E3U4x/3qcVYREupeviFrO3ftT6/WbVfcqyzQY8bD5eswwERtl9jPnJcG tcAlDApGoMBHU/COYYdDON3F0x7P82jdgaKnFruFM8bBIUEJYhapQnaX0zGCJcfQaqS5 mqLz+zSK3yvd3mNHyYnKCSKMdEHSfie+uTtAn+oMfo3MmR3V2boHZtDgV9yfLFfSYVYt 3M/Xs+AamOXWcwkyGgt0OmSIT1kZr3462ZHLD1IopjFdWNj3uDLWk5UTLPj3L9bF3IZO sBW32JZo6hZisR12qftDEbWOsXdmxBXy2rqVXZl8NUsGADJ3QnIQSUyaUYa6VZGhRIUX uWZg== X-Forwarded-Encrypted: i=1; AJvYcCUNebIc2DVGBAFLB11h36+xnRcBsO/VWG4PkoVFLBaKFiw/bG34pb8zo4F3CiWG4t6WfohKuODZZg==@kvack.org X-Gm-Message-State: AOJu0YxWuIlVcVh5RU45Xfo97jcgnhFdTHo7phU/wbH5ew0Dnlprw+08 9O9sP73LltmWQzygIETJY4fkxt6/nrlPXOw8Lb8EtgbK7vFH7D1kDVYmsK9TRg== X-Google-Smtp-Source: AGHT+IEgj4iYIgM8Bt6zG1rzYd8WV58PCBDkNIN0boAWnMtT07/5QKs9wxAFZjzNXqiQDisFfCPmsQ== X-Received: by 2002:a17:907:e6e5:b0:a8a:926a:d002 with SMTP id a640c23a62f3a-a90293dfce4mr2370606866b.12.1726733353613; Thu, 19 Sep 2024 01:09:13 -0700 (PDT) Received: from localhost ([83.68.141.146]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9061096aa2sm688094766b.35.2024.09.19.01.09.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Sep 2024 01:09:13 -0700 (PDT) From: Paul Moore To: linux-security-module@vger.kernel.org, linux-mm@kvack.org, selinux@vger.kernel.org Cc: ebpqwerty472123@gmail.com Subject: [PATCH] mm: call the security_mmap_file() LSM hook in remap_file_pages() Date: Thu, 19 Sep 2024 04:09:06 -0400 Message-ID: <20240919080905.4506-2-paul@paul-moore.com> X-Mailer: git-send-email 2.46.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2331; i=paul@paul-moore.com; h=from:subject; bh=HNkO/SgCMlBwb15VU48zTD8lUQTWlQzSQgM5TY2SxcQ=; b=owEBbQKS/ZANAwAIAeog8tqXN4lzAcsmYgBm69whUno75Ay2U9SP4lWVTm6XBW4IDMeZcbj9C O1BIZviFyiJAjMEAAEIAB0WIQRLQqjPB/KZ1VSXfu/qIPLalzeJcwUCZuvcIQAKCRDqIPLalzeJ c/qRD/44C54e1r4DmgU21y6GHpoQORs2k6kMxd1cIe+LMENx5g3X9LUuUpfwfH8x7b8lMRoAbqp ek3jjOoxN+pDMvWbM6zHUjDUr6agn88BC0s5eF/QSYnIcZmCuRArMR0ilPamxsOmytrZYIx5hFN 3SiXcGpZ/Fhg3Kq0QjK8FCAcXzSh/6M2qJbSSwcGa5cv/JsNQvBnIXP9Mzxz1QGn7paqTLVDwSq JjTuhSRLOq06G9rZncaRPLJExvvGpGrjfcS2yYyHQUPR8fZ3uD7cb8r1e9Y1uZGIXGi63nM+Lvu dmR5yNlFviicKXrxxEZsEdfY4Bby0hcvaMVtzdbrcGjVJWtTHLRfspLxz7JCbI+dvctFoNjGHjK 5NQpnDNB7/hLL+NAKLy0qTMm3QG38C2Lu1YG58mtq6EVXjuPHDxwM1XGDK/o65rnb/bruWKeAko 2wgZuSuYG4XZvKu5MRQ9NMTkRWKa7rw+GQioysQ5NwUnURZFfoKQuCFAfMOdiNO1v742z76Y4h5 6jz3E+xDsA4hh0LYae+TBG794Uw8p8EMniPcGkuFM9BEQ4Gt/ZDXP/kUC9JHvRgUi6GtAiWjLEY oPI5PIR/UNEwTv4VfyuppQrzpr5qkHMEJq2b68tR9lN0La6Qw3aznTKB+Ar9wNYXaVNJtFI9Pe0 fpMobc1Rq4CS ybQ== X-Developer-Key: i=paul@paul-moore.com; a=openpgp; fpr=7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A X-Rspam-User: X-Rspamd-Queue-Id: 71E2180018 X-Rspamd-Server: rspam01 X-Stat-Signature: 46moq8hozx4m7f7t45eaxbaxnkei8d5b X-HE-Tag: 1726733355-543548 X-HE-Meta: U2FsdGVkX1+iVAvIGCyCyle8sUCc1ENPl72qv2AxZKpHcBSldhuIBF3Gjtm+elfjkDstWZica1NU4C0g6lWMwKeX8oat3oaKshpNNloUFN+EaYNUYOdXXX0fMX03fUmeo6w1H26rTBYZKGVSJws12MHUp/6CR5RYATQRpLOA6ggttsXZCA8afI5ZOMIf+Wpq1DTFysjc94MBUuFVRsL9DeEwo0JpkCIeayXYz56xERzgOGlF3FAt5dpvx4xghFTE7XFUNZoy/EaPaktJBdkLunZv7IpsJ7w0FqxKgNzWLjKZHyxYk3RRobF18nQAZCuCriLDunZBDcNBqk2uSG3nkYOZ1RBRcz6Hdd5mdVlAigui9t6Qi8FjsWUKvPTYS7HGwKziRshUxGL+Os7ZFMcEKuSq4+CMsXjWMMs2YeJKJQnVqdgzSWtLdSGO/CorjE+yPMkSt1bHde4igR/xe3+kKEKTfImB1EEtuYUCVKzAEhXx3P/0SzIg5154RidNZOyDhIG6wEmfbgCw0w9EGAN9m5KrtHwHHnOsM2WtmirNgzBvk0WgybXdtrsEM6oD0r7WHAAum+YsK8DRv5DQKwvmx+zXnPVrO4Y5dXazvg6Da2yvk73IryJynPv80O32UcbzEI9SEgA/wQFuxy08vuVL+OBc0EXs7NoL4SUUewUj6G2N8lu9P9/1uf73IxXbMljAUH82tGynkCj+JeQBtUGUunBXxo9Hlt9cNeMkfUoYUzq00hRX99+4C/Q1OnPVAUhk5uxxcZ39TPMj5ykPby0+P5KWifOpcUe/yMJLpSswlhg82qmQA1/mukGTEGGT9OzV3yyEzCIA9IyQ5eFtMp4+vbfS5TzdjLO0NmhMqhnwmA+XjvrZ2SsCMnC2+PZGxZRmUvlpfVDoi7tOTR5IyITnUMXUECLd8nEb8AO8w9D92BHveQ1T7G3uh1Rs22dn79ppc1W+B+6u0A16oLjQ/vK 0S4PG7At hh7ep++aERBqBJ0WuUFFaMK3MF95Qn84sJ5Xztb7JbtrERqK4Z0+tpils3+Yw5qXSZ4Z2mC5cPBO5TTdrekJX/zOhV2TkAVLbA1PEcQzFtQeplnyItOsuW7J3ieeKjb6z4blr6zNEI/CH/4LGqBr6AVBc15l408ja7AT+WHPUxFwnpKm0R35i4Nw3V54KF6VID4X1Z9zxSt8WuQfDCEKxatAXOAT2ZIpaOcHpCUPbwNg15s3h/D1eeyoOPO9QJaMNhkuLIvC6o+yZ79cTFY0ML/913K5vtwpyDI0XMDhndswJgfPJMX2fsdVsJxbJyfvv9SNJ/x+2NBk/Ocktc1C2inZ3Xe1/2FslwlSO1DDRMhgb5TNrWjiJen+SC9APqcCmUlKQHJJ4tiLMYtXOAaRoogG/csKO76pK1kbGQiUCtEf3bjTcEJKbsz4aouQZsydRSRZ+gnsaTBbhf9s= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Shu Han The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable@vger.kernel.org Signed-off-by: Shu Han Acked-by: Stephen Smalley [PM: subject line tweaks] Signed-off-by: Paul Moore --- mm/mmap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mm/mmap.c b/mm/mmap.c index 6ddb278a5ee8..0df568afe99d 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3198,8 +3198,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size, flags |= MAP_LOCKED; file = get_file(vma->vm_file); + ret = security_mmap_file(vma->vm_file, prot, flags); + if (ret) + goto out_fput; ret = do_mmap(vma->vm_file, start, size, prot, flags, 0, pgoff, &populate, NULL); +out_fput: fput(file); out: mmap_write_unlock(mm);