From patchwork Sat May 26 14:50:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Salvatore Mesoraca X-Patchwork-Id: 10428991 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8789F60249 for ; Sat, 26 May 2018 14:51:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 75A9228C2C for ; Sat, 26 May 2018 14:51:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 66C17292A2; Sat, 26 May 2018 14:51:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE66128C2C for ; Sat, 26 May 2018 14:51:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A423C6B0007; Sat, 26 May 2018 10:51:07 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 9F1726B0008; Sat, 26 May 2018 10:51:07 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8E3036B000A; Sat, 26 May 2018 10:51:07 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-wr0-f198.google.com (mail-wr0-f198.google.com [209.85.128.198]) by kanga.kvack.org (Postfix) with ESMTP id 33B2C6B0007 for ; Sat, 26 May 2018 10:51:07 -0400 (EDT) Received: by mail-wr0-f198.google.com with SMTP id 44-v6so6555185wrt.9 for ; Sat, 26 May 2018 07:51:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id; bh=UfBvKy81DvCZhT/xWeES1XaP2f+fCegu7KUe9s6RsyE=; b=IIto9ubHds6Fez94FN8YryYXCQr6rp1GyLA0PkkgGUQ1H/ZzJyUJxz4TtA0w2eRb43 gNO9lCE3SyB6eYPEnyr3c1XfwD+z6H0ynfF5Gv8M2Ce5LPZ9k2A1EjJkx4/bZnL6bZ8S VCSxnfi1vgcHS2j9yoUVHpf5YZXJCPNVvVVL18d7tSzr3c3r2RCq5psUatRHTzV9Fktv 772kXUGW5opjkOpdIcTvdWODRrmcZzFlIPAFwszaDRE9AYmxvQ7/WfyEURDt9hXD/Fcb lBx+2OC2leSBBFzgAvijhGJzwB8fcsbesmagSq8Ig6CA4RDQab7cEq/ovNor6294lGd9 kLCw== X-Gm-Message-State: ALKqPweBpKryWVzI8PvLlLiV/18U8HJbcVlx+fDDXTQvwZ8F0UjnbRAM FnoG/RNwF27cImYW6O1Uk5jgga5v9Rtg2YZbyBO9TOPv9TwKYIA9BMuYJFDt8Ytw5RUAWCVksVL JLH7VwVmN6zbanwpHmNRy25d0LAYoekTbsL/mw/yNJhQQkzYZ2G2AfwxjrFrN57DmXy73sKlwcH 58qGShA05NtSGjE4DArfrFEYHzjB5nSyubKlkmD7NSGDaQYqQLYz7G6fsrXpphjpcEaFSgzoEBK N/vt+sybOxWVFhFwykNAehHIXVIIragcGFdvD71tPgZ4h3D0CAN2VrOFuXUZTDEuv1iB0nOyjf2 FNV/1dLzOnznJJMph00GtbHtkhQKWsaO+k/8XyvezJo9xlgLqy3iov9T3SE9GjHlSJDPsYUOUZk R X-Received: by 2002:a50:ab82:: with SMTP id u2-v6mr7298065edc.163.1527346266697; Sat, 26 May 2018 07:51:06 -0700 (PDT) X-Received: by 2002:a50:ab82:: with SMTP id u2-v6mr7298030edc.163.1527346265805; Sat, 26 May 2018 07:51:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527346265; cv=none; d=google.com; s=arc-20160816; b=CZ9CJHseO8pQzsejy0BqrHF+9BOhPKTXQlC2Mk6r+OrR84RqfB5LW4ljVDLv6GHLGU MlmTjLTDfue58TA6l458RTPeXMOD2OBHzcZd+shJAY3RRespFTtR3tCVj8g8BQykAUFz Hj51fjIgmMcb4iI86l+/KNTUYlv5VqTL3fhOWvbGE3Wy+sjSGCDdEIFGKMkrmABTxyvv JIbYZifHZDSjExvU3sHy4l/9oeUfewu7vR/ghIE+bTFlYcFBSUjPtZaytuujyTLnVlNA zI7lmHsWrtscpU645rtMCwJNd9GMizMlVEwa5Hd8Zrh+PVqO+55xnrpeiZbqpQFGlJ/6 eLEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=UfBvKy81DvCZhT/xWeES1XaP2f+fCegu7KUe9s6RsyE=; b=zqEB0WUlVBddwS0D/oeQeRetdrCIXHfRIFzNSXuDcJTeN2am0DkXkYlOJUnybSFagB ZgYI7+wpRbcbT2Ofq3nZhx1G0XgQXWeMjVHlcvYwnhFzIQ4cJbKtzIsdHDPu/hJt3pNF gCciARBKDxbPC4LsjM8xYT9FPnaLOAzJCC+vR/IRgrnTBihHwGkacwvmu0o0gHjnkGS3 4MrLDpUqXiz7QzkthFU7gicsF3fv4d0cN8Wh8u4jK34Uk3fzTOSue7CZfCYKO7MbZS4R vs1ce6phx2BO+OEe6E9sMWmEhs/U3fgT8jDz4TyqVuE4VP5hOgY7mUIo6bq7f/rjFE8J Z7mQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=amhVAVdm; spf=pass (google.com: domain of s.mesoraca16@gmail.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=s.mesoraca16@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id u1-v6sor13546638edp.37.2018.05.26.07.51.05 for (Google Transport Security); Sat, 26 May 2018 07:51:05 -0700 (PDT) Received-SPF: pass (google.com: domain of s.mesoraca16@gmail.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=amhVAVdm; spf=pass (google.com: domain of s.mesoraca16@gmail.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=s.mesoraca16@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UfBvKy81DvCZhT/xWeES1XaP2f+fCegu7KUe9s6RsyE=; b=amhVAVdmDv3LxUT7pLpOrBy+cK4L9ogBjhqFOf6GRtS3+7oBLFAonN7ZPXy8JdIgEX SepF+8qD2i1TsOwMaSGKJX9VRJ5+j+046BS1qzkOE87856Jk0r1MfC1HOkDZ18DSv1da 3WAebGDCzJSDOaaYVpYsRliHZKiCoNztEZj/8UbdJwj4Fh2h4iJ+S0HG/rrOLJ7fNMp+ VEmEpFzTFr/Xw1VEcb+3B4FpbfBZFdaIMd6FhkR6PtymPSmg0W6UJ2KJeGoGcQJruxq1 saVGszelyA7O846WC7LIPvFRiWDUB/DxeyvcX/ir16dVCbeGW7YItkksWdRYpbDD7B0Q /qnA== X-Google-Smtp-Source: AB8JxZpI70kIaDfx2zeQp74N1Uws4eSWwa1+Z6S2l/N7BhtggKwUrtaUM1ThT4lWvQfNFrmAIcvtdw== X-Received: by 2002:a50:a7c3:: with SMTP id i61-v6mr7441728edc.152.1527346265476; Sat, 26 May 2018 07:51:05 -0700 (PDT) Received: from localhost ([109.112.8.251]) by smtp.gmail.com with ESMTPSA id e56-v6sm2736493edb.31.2018.05.26.07.51.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 26 May 2018 07:51:04 -0700 (PDT) From: Salvatore Mesoraca To: kernel-hardening@lists.openwall.com Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Salvatore Mesoraca , Andrew Morton , Alexey Dobriyan , Akinobu Mita , Dmitry Vyukov , Arnd Bergmann , Davidlohr Bueso , Kees Cook Subject: [PATCH] proc: prevent a task from writing on its own /proc/*/mem Date: Sat, 26 May 2018 16:50:46 +0200 Message-Id: <1527346246-1334-1-git-send-email-s.mesoraca16@gmail.com> X-Mailer: git-send-email 1.9.1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Prevent a task from opening, in "write" mode, any /proc/*/mem file that operates on the task's mm. /proc/*/mem is mainly a debugging means and, as such, it shouldn't be used by the inspected process itself. Current implementation always allow a task to access its own /proc/*/mem file. A process can use it to overwrite read-only memory, making pointless the use of security_file_mprotect() or other ways to enforce RO memory. Signed-off-by: Salvatore Mesoraca --- fs/proc/base.c | 25 ++++++++++++++++++------- fs/proc/internal.h | 3 ++- fs/proc/task_mmu.c | 4 ++-- fs/proc/task_nommu.c | 2 +- 4 files changed, 23 insertions(+), 11 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 1a76d75..01ecfec 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -762,8 +762,9 @@ static int proc_single_open(struct inode *inode, struct file *filp) .release = single_release, }; - -struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode) +struct mm_struct *proc_mem_open(struct inode *inode, + unsigned int mode, + fmode_t f_mode) { struct task_struct *task = get_proc_task(inode); struct mm_struct *mm = ERR_PTR(-ESRCH); @@ -773,10 +774,20 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode) put_task_struct(task); if (!IS_ERR_OR_NULL(mm)) { - /* ensure this mm_struct can't be freed */ - mmgrab(mm); - /* but do not pin its memory */ - mmput(mm); + /* + * Prevent this interface from being used as a mean + * to bypass memory restrictions, including those + * imposed by LSMs. + */ + if (mm == current->mm && + f_mode & FMODE_WRITE) + mm = ERR_PTR(-EACCES); + else { + /* ensure this mm_struct can't be freed */ + mmgrab(mm); + /* but do not pin its memory */ + mmput(mm); + } } } @@ -785,7 +796,7 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode) static int __mem_open(struct inode *inode, struct file *file, unsigned int mode) { - struct mm_struct *mm = proc_mem_open(inode, mode); + struct mm_struct *mm = proc_mem_open(inode, mode, file->f_mode); if (IS_ERR(mm)) return PTR_ERR(mm); diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 0f1692e..8d38cc7 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -275,7 +275,8 @@ struct proc_maps_private { #endif } __randomize_layout; -struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode); +struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode, + fmode_t f_mode); extern const struct file_operations proc_pid_maps_operations; extern const struct file_operations proc_tid_maps_operations; diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index c486ad4..efb6535 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -227,7 +227,7 @@ static int proc_maps_open(struct inode *inode, struct file *file, return -ENOMEM; priv->inode = inode; - priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); + priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, file->f_mode); if (IS_ERR(priv->mm)) { int err = PTR_ERR(priv->mm); @@ -1534,7 +1534,7 @@ static int pagemap_open(struct inode *inode, struct file *file) { struct mm_struct *mm; - mm = proc_mem_open(inode, PTRACE_MODE_READ); + mm = proc_mem_open(inode, PTRACE_MODE_READ, file->f_mode); if (IS_ERR(mm)) return PTR_ERR(mm); file->private_data = mm; diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c index 5b62f57..dc38516 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c @@ -280,7 +280,7 @@ static int maps_open(struct inode *inode, struct file *file, return -ENOMEM; priv->inode = inode; - priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); + priv->mm = proc_mem_open(inode, PTRACE_MODE_READ, file->f_mode); if (IS_ERR(priv->mm)) { int err = PTR_ERR(priv->mm);