[PATCH 3.12 035/235] fs: exec: apply CLOEXEC before changing dumpable task flags

From: Jiri Slaby
Date: Fri Jan 27 2017 - 05:59:23 EST

Next message: Jiri Slaby: "[PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create"
Previous message: Jiri Slaby: "[PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded"
In reply to: Jiri Slaby: "[PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded"
Next in thread: Jiri Slaby: "[PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Aleksa Sarai <asarai@xxxxxxx>

3.12-stable review patch. If anyone has any objections, please let me know.

===============

commit 613cc2b6f272c1a8ad33aefa21cad77af23139f7 upstream.

If you have a process that has set itself to be non-dumpable, and it
then undergoes exec(2), any CLOEXEC file descriptors it has open are
"exposed" during a race window between the dumpable flags of the process
being reset for exec(2) and CLOEXEC being applied to the file
descriptors. This can be exploited by a process by attempting to access
/proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE.

The race in question is after set_dumpable has been (for get_link,
though the trace is basically the same for readlink):

[vfs]
-> proc_pid_link_inode_operations.get_link
-> proc_pid_get_link
-> proc_fd_access_allowed
-> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

Which will return 0, during the race window and CLOEXEC file descriptors
will still be open during this window because do_close_on_exec has not
been called yet. As a result, the ordering of these calls should be
reversed to avoid this race window.

This is of particular concern to container runtimes, where joining a
PID namespace with file descriptors referring to the host filesystem
can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
against access of CLOEXEC file descriptors -- file descriptors which may
reference filesystem objects the container shouldn't have access to).

Cc: dev@xxxxxxxxxxxxxxxxxx
Reported-by: Michael Crosby <crosbymichael@xxxxxxxxx>
Signed-off-by: Aleksa Sarai <asarai@xxxxxxx>
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
---
fs/exec.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index d8b46a197172..f33c0fff702c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -19,7 +19,7 @@
* current->executable is only used by the procfs. This allows a dispatch
* table to check for several different types of binary formats. We keep
* trying until we recognize the file or we run out of supported binary
- * formats.
+ * formats.
*/

#include <linux/slab.h>
@@ -1098,6 +1098,13 @@ int flush_old_exec(struct linux_binprm * bprm)
flush_thread();
current->personality &= ~bprm->per_clear;

+ /*
+ * We have to apply CLOEXEC before we change whether the process is
+ * dumpable (in setup_new_exec) to avoid a race with a process in userspace
+ * trying to access the should-be-closed file descriptors of a process
+ * undergoing exec(2).
+ */
+ do_close_on_exec(current->files);
return 0;

out:
@@ -1148,7 +1155,6 @@ void setup_new_exec(struct linux_binprm * bprm)
current->self_exec_id++;

flush_signal_handlers(current, 0);
- do_close_on_exec(current->files);
}
EXPORT_SYMBOL(setup_new_exec);

--
2.11.0

Next message: Jiri Slaby: "[PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create"
Previous message: Jiri Slaby: "[PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded"
In reply to: Jiri Slaby: "[PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded"
Next in thread: Jiri Slaby: "[PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]