From f70102cb369cde6ab7551ca58152d00fd3478fec Mon Sep 17 00:00:00 2001 From: Kees Cook keescook@chromium.org Date: Tue, 8 Jun 2021 10:12:21 -0700 Subject: [PATCH] proc: Track /proc/$pid/attr/ opener mm_struct
stable inclusion from stable-v5.10.44 commit f70102cb369cde6ab7551ca58152d00fd3478fec bugzilla: CVE: NA
--------------------------------
commit 591a22c14d3f45cc38bd1931c593c221df2f1881 upstream.
Commit bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener") tried to make sure that there could not be a confusion between the opener of a /proc/$pid/attr/ file and the writer. It used struct cred to make sure the privileges didn't change. However, there were existing cases where a more privileged thread was passing the opened fd to a differently privileged thread (during container setup). Instead, use mm_struct to track whether the opener and writer are still the same process. (This is what several other proc files already do, though for different reasons.)
Reported-by: Christian Brauner christian.brauner@ubuntu.com Reported-by: Andrea Righi andrea.righi@canonical.com Tested-by: Andrea Righi andrea.righi@canonical.com Fixes: bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/proc/base.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c index 297ea12b3cfd..511d98d09754 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2675,6 +2675,11 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx, }
#ifdef CONFIG_SECURITY +static int proc_pid_attr_open(struct inode *inode, struct file *file) +{ + return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS); +} + static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, size_t count, loff_t *ppos) { @@ -2705,7 +2710,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, int rv;
/* A task may only write when it was the opener. */ - if (file->f_cred != current_real_cred()) + if (file->private_data != current->mm) return -EPERM;
rcu_read_lock(); @@ -2755,9 +2760,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, }
static const struct file_operations proc_pid_attr_operations = { + .open = proc_pid_attr_open, .read = proc_pid_attr_read, .write = proc_pid_attr_write, .llseek = generic_file_llseek, + .release = mem_release, };
#define LSM_DIR_OPS(LSM) \ -- 2.25.1