[PATCH] proc: Check /proc/$pid/attr/ writes against file opener

From: Kees Cook
Date: Tue May 25 2021 - 15:37:44 EST

Next message: Alexander Sverdlin: "Re: [PATCH 1/1] ep93xx: clock: convert in-place to COMMON_CLK"
Previous message: Pratyush Yadav: "Re: [PATCH v4 4/4] mtd: spi-nor: otp: implement erase for Winbond and similar flashes"
Next in thread: Jann Horn: "Re: [PATCH] proc: Check /proc/$pid/attr/ writes against file opener"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/
files need to check the opener credentials, since these fds do not
transition state across execve(). Without this, it is possible to
trick another process (which may have different credentials) to write
to its own /proc/$pid/attr/ files, leading to unexpected and possibly
exploitable behaviors.

[1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials

Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
fs/proc/base.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 3851bfcdba56..58bbf334265b 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2703,6 +2703,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
void *page;
int rv;

+ /* A task may only write when it was the opener. */
+ if (file->f_cred != current_real_cred())
+ return -EPERM;
+
rcu_read_lock();
task = pid_task(proc_pid(inode), PIDTYPE_PID);
if (!task) {
--
2.25.1

Next message: Alexander Sverdlin: "Re: [PATCH 1/1] ep93xx: clock: convert in-place to COMMON_CLK"
Previous message: Pratyush Yadav: "Re: [PATCH v4 4/4] mtd: spi-nor: otp: implement erase for Winbond and similar flashes"
Next in thread: Jann Horn: "Re: [PATCH] proc: Check /proc/$pid/attr/ writes against file opener"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]