| Message ID | 20230713121907.9693-1-cyphar@cyphar.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | procfs: block chmod on /proc/thread-self/comm | expand |
+Cc Thomas Weißschuh <thomas@t-8ch.de> as this seems quite related to his finding about /proc/self/net: https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@weissschuh.net/#b On Thu, Jul 13, 2023 at 10:19:04PM +1000, Aleksa Sarai wrote: > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > chmod operations on /proc/thread-self/comm were no longer blocked as > they are on almost all other procfs files. > > A very similar situation with /proc/self/environ was used to as a root > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > correctness issue. > > Ref: https://lwn.net/Articles/191954/ > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > Cc: stable@vger.kernel.org # v4.7+ > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > --- > fs/proc/base.c | 3 ++- > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..7394229816f3 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > } > > static const struct inode_operations proc_tid_comm_inode_operations = { > - .permission = proc_tid_comm_permission, > + .setattr = proc_setattr, > + .permission = proc_tid_comm_permission, > }; > > /* > diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c > index 486334981e60..08f0969208eb 100644 > --- a/tools/testing/selftests/nolibc/nolibc-test.c > +++ b/tools/testing/selftests/nolibc/nolibc-test.c > @@ -580,6 +580,10 @@ int run_syscall(int min, int max) > CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; > CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; > CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; > + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; > CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; > CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; > CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break; > -- > 2.41.0
On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote: > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > chmod operations on /proc/thread-self/comm were no longer blocked as > they are on almost all other procfs files. > > A very similar situation with /proc/self/environ was used to as a root > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > correctness issue. > > Ref: https://lwn.net/Articles/191954/ > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > Cc: stable@vger.kernel.org # v4.7+ > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > --- > fs/proc/base.c | 3 ++- > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..7394229816f3 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > } > > static const struct inode_operations proc_tid_comm_inode_operations = { > - .permission = proc_tid_comm_permission, > + .setattr = proc_setattr, > + .permission = proc_tid_comm_permission, > }; Given that this seems to be a recurring theme a more systematic aproach would help. Something like the following (untested) patch: diff --git a/fs/proc/base.c b/fs/proc/base.c index 05452c3b9872..b90f2e9cda66 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry, set_nlink(inode, 2); /* Use getattr to fix if necessary */ if (p->iop) inode->i_op = p->iop; + WARN_ON(!inode->i_op->setattr); if (p->fop) inode->i_fop = p->fop; ei->op = p->op; > /* > diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c > index 486334981e60..08f0969208eb 100644 > --- a/tools/testing/selftests/nolibc/nolibc-test.c > +++ b/tools/testing/selftests/nolibc/nolibc-test.c > @@ -580,6 +580,10 @@ int run_syscall(int min, int max) > CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; > CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; > CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; > + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; I'm not a big fan of this, it abuses the nolibc testsuite to test core kernel functionality. If this needs to be tested explicitly there is hopefully a better place. Those existing tests focus on testing functionality provided by nolibc. The test chmod_net just got removed because it suffered from the same bug as /proc/thread-self/comm. > CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; > CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; > CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break; > -- > 2.41.0 >
On Thu, Jul 13, 2023 at 03:01:24PM +0200, Thomas Weißschuh wrote: > On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote: > > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > > chmod operations on /proc/thread-self/comm were no longer blocked as > > they are on almost all other procfs files. > > > > A very similar situation with /proc/self/environ was used to as a root > > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > > correctness issue. > > > > Ref: https://lwn.net/Articles/191954/ > > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > > Cc: stable@vger.kernel.org # v4.7+ > > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > > --- > > fs/proc/base.c | 3 ++- > > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > > 2 files changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/fs/proc/base.c b/fs/proc/base.c > > index 05452c3b9872..7394229816f3 100644 > > --- a/fs/proc/base.c > > +++ b/fs/proc/base.c > > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > > } > > > > static const struct inode_operations proc_tid_comm_inode_operations = { > > - .permission = proc_tid_comm_permission, > > + .setattr = proc_setattr, > > + .permission = proc_tid_comm_permission, > > }; > > Given that this seems to be a recurring theme a more systematic > aproach would help. > > Something like the following (untested) patch: > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..b90f2e9cda66 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry, > set_nlink(inode, 2); /* Use getattr to fix if necessary */ > if (p->iop) > inode->i_op = p->iop; > + WARN_ON(!inode->i_op->setattr); Hm, no. This is hacky. To fix this properly we will need to wean off notify_change() from falling back to simple_setattr() when no i_op->setattr() method is defined. To do that we will have to go through every filesystem and port all that rely on this fallback to set simple_setattr() explicitly as their i_op->setattr() method. Christoph and I just discussed this in relation to another patch. This is a bugfix so it should be as minimal as possible for easy backport.
On 2023-07-13, Willy Tarreau <w@1wt.eu> wrote: > +Cc Thomas Weißschuh <thomas@t-8ch.de> as this seems quite related to > his finding about /proc/self/net: > > https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@weissschuh.net/#b Yeah I saw this patch and (along with an earlier discussion with Christian on the topic of chmod on symlinks -- see [1]) lead us to find that there were three other cases where this happens unintentionally: * /proc/self (on the symlink itself) * /proc/thread-self (on the symlink itself) * /proc/thread-self/comm The first two will be fixed by [1] so fixing them isn't necessary. [1]: https://lore.kernel.org/linux-fsdevel/20230712-vfs-chmod-symlinks-v2-1-08cfb92b61dd@kernel.org/
diff --git a/fs/proc/base.c b/fs/proc/base.c index 05452c3b9872..7394229816f3 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, } static const struct inode_operations proc_tid_comm_inode_operations = { - .permission = proc_tid_comm_permission, + .setattr = proc_setattr, + .permission = proc_tid_comm_permission, }; /* diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c index 486334981e60..08f0969208eb 100644 --- a/tools/testing/selftests/nolibc/nolibc-test.c +++ b/tools/testing/selftests/nolibc/nolibc-test.c @@ -580,6 +580,10 @@ int run_syscall(int min, int max) CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break;
Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, chmod operations on /proc/thread-self/comm were no longer blocked as they are on almost all other procfs files. A very similar situation with /proc/self/environ was used to as a root exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a correctness issue. Ref: https://lwn.net/Articles/191954/ Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> --- fs/proc/base.c | 3 ++- tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-)