From patchwork Mon Nov 20 22:58:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10067437 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 359B160375 for ; Mon, 20 Nov 2017 22:58:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 256E621E5A for ; Mon, 20 Nov 2017 22:58:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 18A17286CC; Mon, 20 Nov 2017 22:58:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8649921E5A for ; Mon, 20 Nov 2017 22:58:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751466AbdKTW6i (ORCPT ); Mon, 20 Nov 2017 17:58:38 -0500 Received: from mail-io0-f193.google.com ([209.85.223.193]:33653 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751158AbdKTW6f (ORCPT ); Mon, 20 Nov 2017 17:58:35 -0500 Received: by mail-io0-f193.google.com with SMTP id i184so10037742ioa.0; Mon, 20 Nov 2017 14:58:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=ShBSPhGbxCiTxYcopktfArrA9C7AeXOm1e272PXnSAE=; b=avKTk3eLV12chAldQYNziTNqvam+wocSFbJl+zYC1ytUeYuRGPe9E4ET1kv8L1Ze9Q OC+hRZwjjxsbLma+EQDx71bBAQWMVdFMxYkB6vwOJmq56SCicXF/1TRGoyvR0KImkvSW qmBheeOGr5Vbav9NKX3KrD8EDbVH9ynwx5roJ6Y444fWII0y/bmdjx87dej+KDVYMaM9 E4hS8MLMnkARTt3a7WOPQE46kONXNK7Jin8EuolEDam6L2Sclwxt/CwUvBsxKCfOjm0q 4dfFE3bqoxLz/7Ls0iAOkwSnEowt404A1wrFNyPeudOMPZtE6XRWXGfBqaDtBaHQWrfH eFyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ShBSPhGbxCiTxYcopktfArrA9C7AeXOm1e272PXnSAE=; b=mE6A4w42Q8h3rcgu3RV3gZScPd3klUzgmRensxTihfGrsK4DsVeLB5WvE4gSJSaxF9 2Unm2tLknxKbrVbjqplyV/AhKZyPMVxyES1+mX6Y83RwdMSwSvMRkEMxvqNCPQ7t0rgr 8sUGDzj3oZtd3qax+tQMbDx5GKAxOOtVA/YTAAm4Tcl7RALx70gBznN/ObweabJCTQnD 19ZqoKkYJ6xbz2aa0vnmMOKOyQmmYx9c/amwPXe5sldtDZsEBgj6p2zWdN4Npt8izmoG ytoRmeZYAvRYlY1kE7ureMG/NVRX/ofBDqV8nfEF4wRUivZkPohN/MQANTumEn0JepuY toJw== X-Gm-Message-State: AJaThX7ZM3OAo3Z0PCAA3jWx1i2suuuSauDNYBZZONdPJzgeecTNFTWT Z+XM2mDkTBo6MUZzAU2GmIZ4cKQq X-Google-Smtp-Source: AGs4zMbmVYHsUqIXWEIA3JIr2uNdn6xkgJXPwpaELfTqQiERLAGyqxd1LvMzM5uxO7CG3yzcBQJnVg== X-Received: by 10.107.27.6 with SMTP id b6mr14682220iob.277.1511218714258; Mon, 20 Nov 2017 14:58:34 -0800 (PST) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88]) by smtp.gmail.com with ESMTPSA id e12sm4953746iod.4.2017.11.20.14.58.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 20 Nov 2017 14:58:33 -0800 (PST) From: Eric Biggers To: keyrings@vger.kernel.org, David Howells Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] KEYS: add missing permission check for request_key() destination Date: Mon, 20 Nov 2017 14:58:30 -0800 Message-Id: <20171120225830.96642-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.0.448.gf294e3d99a-goog Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When the request_key() syscall is not passed a destination keyring, it links the requested key (if constructed) into the "default" request-key keyring. This should require Write permission to the keyring. However, there is actually no permission check. This can be abused to add keys to any keyring to which only Search permission is granted. This is because Search permission allows joining the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING) then will set the default request-key keyring to the session keyring. Then, request_key() can be used to add keys to the keyring. Both negatively and positively instantiated keys can be added using this method. Adding negative keys is trivial. Adding a positive key is a bit trickier. It requires that either /sbin/request-key positively instantiates the key, or that another thread adds the key to the process keyring at just the right time, such that request_key() misses it initially but then finds it in construct_alloc_key(). Fix this bug by checking for Write permission to the keyring in construct_get_dest_keyring() when the default keyring is being used. We don't do the permission check for non-default keyrings because that was already done by the earlier call to lookup_user_key(). Also, request_key_and_link() is currently passed a 'struct key *' rather than a key_ref_t, so the "possessed" bit is unavailable. We also don't do the permission check for the "requestor keyring", to continue to support the use case described by commit 8bbf4976b59f ("KEYS: Alter use of key instantiation link-to-keyring argument") where /sbin/request-key recursively calls request_key() to add keys to the original requestor's destination keyring. (I don't know of any users who actually do that, though...) Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key") Cc: # v2.6.13+ Signed-off-by: Eric Biggers --- security/keys/request_key.c | 46 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/security/keys/request_key.c b/security/keys/request_key.c index c6880af8b411..4557c1c368aa 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c @@ -251,11 +251,12 @@ static int construct_key(struct key *key, const void *callout_info, * The keyring selected is returned with an extra reference upon it which the * caller must release. */ -static void construct_get_dest_keyring(struct key **_dest_keyring) +static int construct_get_dest_keyring(struct key **_dest_keyring) { struct request_key_auth *rka; const struct cred *cred = current_cred(); struct key *dest_keyring = *_dest_keyring, *authkey; + int ret; kenter("%p", dest_keyring); @@ -264,6 +265,8 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) /* the caller supplied one */ key_get(dest_keyring); } else { + bool do_perm_check = true; + /* use a default keyring; falling through the cases until we * find one that we actually have */ switch (cred->jit_keyring) { @@ -278,8 +281,10 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) dest_keyring = key_get(rka->dest_keyring); up_read(&authkey->sem); - if (dest_keyring) + if (dest_keyring) { + do_perm_check = false; break; + } } case KEY_REQKEY_DEFL_THREAD_KEYRING: @@ -314,11 +319,29 @@ static void construct_get_dest_keyring(struct key **_dest_keyring) default: BUG(); } + + /* + * Require Write permission on the keyring. This is essential + * because the default keyring may be the session keyring, and + * joining a keyring only requires Search permission. + * + * However, this check is skipped for the "requestor keyring" so + * that /sbin/request-key can itself use request_key() to add + * keys to the original requestor's destination keyring. + */ + if (do_perm_check) { + ret = key_permission(make_key_ref(dest_keyring, 1), + KEY_NEED_WRITE); + if (ret) { + key_put(dest_keyring); + return ret; + } + } } *_dest_keyring = dest_keyring; kleave(" [dk %d]", key_serial(dest_keyring)); - return; + return 0; } /* @@ -444,11 +467,15 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, if (ctx->index_key.type == &key_type_keyring) return ERR_PTR(-EPERM); - user = key_user_lookup(current_fsuid()); - if (!user) - return ERR_PTR(-ENOMEM); + ret = construct_get_dest_keyring(&dest_keyring); + if (ret) + goto error; - construct_get_dest_keyring(&dest_keyring); + user = key_user_lookup(current_fsuid()); + if (!user) { + ret = -ENOMEM; + goto error_put_dest_keyring; + } ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key); key_user_put(user); @@ -463,7 +490,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, } else if (ret == -EINPROGRESS) { ret = 0; } else { - goto couldnt_alloc_key; + goto error_put_dest_keyring; } key_put(dest_keyring); @@ -473,8 +500,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx, construction_failed: key_negate_and_link(key, key_negative_timeout, NULL, NULL); key_put(key); -couldnt_alloc_key: +error_put_dest_keyring: key_put(dest_keyring); +error: kleave(" = %d", ret); return ERR_PTR(ret); }