From patchwork Fri Jul 7 19:57:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9831093 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9F745608B9 for ; Fri, 7 Jul 2017 19:57:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8FAF5286E7 for ; Fri, 7 Jul 2017 19:57:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7C1B4286F2; Fri, 7 Jul 2017 19:57:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 200A4286F4 for ; Fri, 7 Jul 2017 19:57:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750941AbdGGT5L (ORCPT ); Fri, 7 Jul 2017 15:57:11 -0400 Received: from mail-pg0-f48.google.com ([74.125.83.48]:34086 "EHLO mail-pg0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751059AbdGGT5J (ORCPT ); Fri, 7 Jul 2017 15:57:09 -0400 Received: by mail-pg0-f48.google.com with SMTP id t186so21931857pgb.1 for ; Fri, 07 Jul 2017 12:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=lG/sQSl2+nBZJvSftjEREERHt1xOAY9ccHqUjj9kG00=; b=f1EDAycG6e6cF3ZVU60isYGVf7hN4mi3gTum+NZLSEiDz9D5NHHJVl+G/pNmJb80H8 ieHZ6AI2oR1bfeglWVnG7jjp8eDqy0cjy3tEklSYis6A9QqWxb8m4oc4NOepQOiWUjJU JSYr7angdTADk+KH3ekZ9Z5H/rUa/g6VnYrwg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=lG/sQSl2+nBZJvSftjEREERHt1xOAY9ccHqUjj9kG00=; b=AViLsgfF5uArnV6Bu5KWVfdjvV6p4RpfgdcxRitzjgayZPMyw9W3yX3ECCNEIsWuWj ad4JK/GNYDnSYklqWQhLx6nuRJpwcLJKgUrlcTZ+skmtRYWZKXoDD159MerdOmvWVDXO 9ND5ifiDbwsQ3q22rtgfVdATjvT+fKZlWAprdz2rvSduz8tIcAqoA4vZc7KWmX0onx3H t0yo1Nb62bgsp5Rsct7xZ3WkBGWxxUyfWiTjSwBkGnerQ2PS0SmBQfwIplZexKLDRC9v My/o/aC53ZFEKQXoTo5mK6asZfegwgF4qViZatWc2WUpqq4gS9yzRsxXSwSo47T1iUvC Kwhg== X-Gm-Message-State: AIVw113M2eFDhjQR9Jw3eH/xK0ni29rTe6GWp2zpP+Nq58oiUIWz0qAO dL6DBW9iqpTeutjN X-Received: by 10.84.232.197 with SMTP id x5mr4811689plm.159.1499457428357; Fri, 07 Jul 2017 12:57:08 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 189sm7277913pfd.50.2017.07.07.12.57.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Jul 2017 12:57:07 -0700 (PDT) From: Kees Cook To: Linus Torvalds Cc: Kees Cook , Andy Lutomirski , David Howells , Serge Hallyn , John Johansen , Casey Schaufler , "Eric W. Biederman" , Michal Hocko , Ben Hutchings , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , Alexander Viro , James Morris , Greg Ungerer , Ingo Molnar , Nicolas Pitre , Stephen Smalley , Paul Moore , Vivek Goyal , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Tetsuo Handa , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 2/2] exec: Use sane stack rlimit for setuid exec Date: Fri, 7 Jul 2017 12:57:00 -0700 Message-Id: <1499457420-83038-3-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1499457420-83038-1-git-send-email-keescook@chromium.org> References: <1499457420-83038-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Before memory layout selection and credentials having been updated, reset stack rlimit to something sane for setuid execs to avoid having the caller having control over memory layouts. $ ulimit -s 8192 $ ulimit -s unlimited $ /bin/sh -c 'ulimit -s' unlimited $ sudo /bin/sh -c 'ulimit -s' 8192 Signed-off-by: Kees Cook --- fs/exec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index 1e8d647d8e7c..2b072cf79f6d 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1335,6 +1335,16 @@ void setup_new_exec(struct linux_binprm * bprm) if (security_bprm_secureexec(bprm)) { /* Record for AT_SECURE. */ bprm->secureexec = 1; + + /* + * If this is a setuid execution, reset the stack limit to + * sane default to avoid bad behavior from the prior rlimits. + * This has to happen before arch_pick_mmap_layout(), which + * examines RLIMIT_STACK, but after the point of not return + * to avoid cleaning up the change on failure. + */ + if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM) + current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM; } arch_pick_mmap_layout(current->mm);