From patchwork Sun Dec 1 01:58:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 11268475 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 43D0815AB for ; Sun, 1 Dec 2019 01:58:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 07B38208C3 for ; Sun, 1 Dec 2019 01:58:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="J/Wlg/yI" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 07B38208C3 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id EA7D46B038F; Sat, 30 Nov 2019 20:58:03 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id E7F9C6B0392; Sat, 30 Nov 2019 20:58:03 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D6FD96B0393; Sat, 30 Nov 2019 20:58:03 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0218.hostedemail.com [216.40.44.218]) by kanga.kvack.org (Postfix) with ESMTP id BD5BD6B038F for ; Sat, 30 Nov 2019 20:58:03 -0500 (EST) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with SMTP id 65AE440FE for ; Sun, 1 Dec 2019 01:58:03 +0000 (UTC) X-FDA: 76214912046.24.scent09_464edb36f9856 X-Spam-Summary: 2,0,0,ab14305480175e56,d41d8cd98f00b204,akpm@linux-foundation.org,:aarcange@redhat.com:akpm@linux-foundation.org:cyphar@cyphar.com:dancol@google.com:jannh@google.com::lokeshgidra@google.com:mm-commits@vger.kernel.org:nnk@google.com:nosh@google.com:ovzxemul@gmail.com:rppt@linux.ibm.com:timmurray@google.com:torvalds@linux-foundation.org,RULES_HIT:41:355:379:800:960:967:973:982:988:989:1260:1263:1345:1381:1431:1437:1534:1542:1711:1730:1747:1777:1792:2393:2525:2553:2559:2564:2682:2685:2859:2894:2902:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4321:4470:5007:6261:6653:6737:7514:7576:7903:8784:9025:9545:10004:10913:11026:11257:11473:11658:11914:12043:12048:12114:12297:12438:12517:12519:12555:12679:12783:12986:13161:13229:14181:14721:14819:14849:21067:21080:21433:21451:21627:21795:21819:21939:30051:30054:30090,0,RBL:error,CacheIP:none,Bayesian:0.5,0.5,0.5,Netchec k:none,D X-HE-Tag: scent09_464edb36f9856 X-Filterd-Recvd-Size: 4251 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf22.hostedemail.com (Postfix) with ESMTP for ; Sun, 1 Dec 2019 01:58:02 +0000 (UTC) Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F3F0E215E5; Sun, 1 Dec 2019 01:58:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575165482; bh=xCCD7HQOTr3XutaMpcMzo8KZ72AWoWeTDPh2UIfQAa0=; h=Date:From:To:Subject:From; b=J/Wlg/yIRCkqDP3RR54hYfs8KWN5Xzy16Iv0DKA7IqtZXy5MQuREbfPNsVc/AsRfg vZliaGcXtRxDA8jf/Zf62/2c3sqi9Pt5YU+CKnPBROlaWkmNfYx01OWNOKyAu6Ffez XKjpNzC+CjrjhgNitPJcrluNBgHo65FaViRjSDH8= Date: Sat, 30 Nov 2019 17:58:01 -0800 From: akpm@linux-foundation.org To: aarcange@redhat.com, akpm@linux-foundation.org, cyphar@cyphar.com, dancol@google.com, jannh@google.com, linux-mm@kvack.org, lokeshgidra@google.com, mm-commits@vger.kernel.org, nnk@google.com, nosh@google.com, ovzxemul@gmail.com, rppt@linux.ibm.com, timmurray@google.com, torvalds@linux-foundation.org Subject: [patch 149/158] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK Message-ID: <20191201015801.SW5FAPUDb%akpm@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Mike Rapoport Subject: userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK A while ago Andy noticed (http://lkml.kernel.org/r/CALCETrWY+5ynDct7eU_nDUqx=okQvjm=Y5wJvA4ahBja=CQXGw@mail.gmail.com) that UFFD_FEATURE_EVENT_FORK used by an unprivileged user may have security implications. As the first step of the solution the following patch limits the availably of UFFD_FEATURE_EVENT_FORK only for those having CAP_SYS_PTRACE. The usage of CAP_SYS_PTRACE ensures compatibility with CRIU. Yet, if there are other users of non-cooperative userfaultfd that run without CAP_SYS_PTRACE, they would be broken :( Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file descriptor table from the read() implementation of uffd, which may have security implications for unprivileged use of the userfaultfd. Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have CAP_SYS_PTRACE. Link: http://lkml.kernel.org/r/1572967777-8812-2-git-send-email-rppt@linux.ibm.com Signed-off-by: Mike Rapoport Reviewed-by: Andrea Arcangeli Cc: Daniel Colascione Cc: Jann Horn Cc: Lokesh Gidra Cc: Nick Kralevich Cc: Nosh Minwalla Cc: Pavel Emelyanov Cc: Tim Murray Cc: Aleksa Sarai Signed-off-by: Andrew Morton --- fs/userfaultfd.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) --- a/fs/userfaultfd.c~userfaultfd-require-cap_sys_ptrace-for-uffd_feature_event_fork +++ a/fs/userfaultfd.c @@ -1835,13 +1835,12 @@ static int userfaultfd_api(struct userfa if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api))) goto out; features = uffdio_api.features; - if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) { - memset(&uffdio_api, 0, sizeof(uffdio_api)); - if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) - goto out; - ret = -EINVAL; - goto out; - } + ret = -EINVAL; + if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) + goto err_out; + ret = -EPERM; + if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE)) + goto err_out; /* report all available features and ioctls to userland */ uffdio_api.features = UFFD_API_FEATURES; uffdio_api.ioctls = UFFD_API_IOCTLS; @@ -1854,6 +1853,11 @@ static int userfaultfd_api(struct userfa ret = 0; out: return ret; +err_out: + memset(&uffdio_api, 0, sizeof(uffdio_api)); + if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) + ret = -EFAULT; + goto out; } static long userfaultfd_ioctl(struct file *file, unsigned cmd,