From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Dave Chinner <david@fromorbit.com>,
Andy Lutomirski <luto@amacapital.net>, Jan Kara <jack@suse.cz>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Mel Gorman <mgorman@suse.de>,
Johannes Weiner <hannes@cmpxchg.org>,
Rik van Riel <riel@redhat.com>,
Matthew Wilcox <willy@linux.intel.com>,
Shachar Raindel <raindel@mellanox.com>,
Boaz Harrosh <boaz@plexistor.com>, Michal Hocko <mhocko@suse.cz>,
Haggai Eran <haggaie@mellanox.com>,
Theodore Tso <tytso@google.com>, Willy Tarreau <w@1wt.eu>,
Dirk Steinmetz <public@rsjtdrjgfuzkfg.com>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Seth Forshee <seth.forshee@canonical.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Linux-MM <linux-mm@kvack.org>
Subject: Re: [PATCH] fs: clear file set[ug]id when writing via mmap
Date: Thu, 19 Nov 2015 16:52:02 -0800 [thread overview]
Message-ID: <CAGXu5j++UT=qG_hc0yC4H0VSMAnq74hrKaBDdoUL=V7HQUAX=A@mail.gmail.com> (raw)
In-Reply-To: <20151119164114.6b55662050922bfa45de3a94@linux-foundation.org>
On Thu, Nov 19, 2015 at 4:41 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Thu, 19 Nov 2015 16:10:43 -0800 Kees Cook <keescook@chromium.org> wrote:
>
>> Normally, when a user can modify a file that has setuid or setgid bits,
>> those bits are cleared when they are not the file owner or a member of the
>> group. This is enforced when using write() directly but not when writing
>> to a shared mmap on the file. This could allow the file writer to gain
>> privileges by changing the binary without losing the setuid/setgid bits.
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> Cc: stable@vger.kernel.org
>> ---
>> mm/memory.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index deb679c31f2a..4c970a4e0057 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm,
>>
>> if (!page_mkwrite)
>> file_update_time(vma->vm_file);
>> + file_remove_privs(vma->vm_file);
>> }
>>
>> return VM_FAULT_WRITE;
>
> file_remove_privs() is depressingly heavyweight. You'd think there was
> some more lightweight way of caching the fact that we've already done
> this.
In theory, the IS_NOSEC(inode) should be fast. Perhaps track it in the
vma or file struct?
> Dumb question: can we run file_remove_privs() once, when the file is
> opened writably, rather than for each and every write into each page?
This got discussed briefly, but I can't remember why it got shot down.
> Also, the proposed patch drops the file_remove_privs() return value on
> the floor and we just go ahead with the modification. How come?
Oh, excellent catch. If it can't drop it, it shouldn't be writable.
I'm not sure what the right abort scenario is in wp_page_reuse. Maybe
move this to start of wp_page_shared instead?
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-11-20 0:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-20 0:10 Kees Cook
2015-11-20 0:41 ` Andrew Morton
2015-11-20 0:52 ` Kees Cook [this message]
2015-11-20 1:00 ` Willy Tarreau
2015-11-20 1:03 ` Willy Tarreau
2015-11-20 1:03 ` Kees Cook
2015-11-20 1:06 ` Willy Tarreau
2015-11-23 12:26 ` Jan Kara
2015-11-23 12:34 ` Eric W. Biederman
2015-12-02 23:55 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5j++UT=qG_hc0yC4H0VSMAnq74hrKaBDdoUL=V7HQUAX=A@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=boaz@plexistor.com \
--cc=david@fromorbit.com \
--cc=ebiederm@xmission.com \
--cc=haggaie@mellanox.com \
--cc=hannes@cmpxchg.org \
--cc=jack@suse.cz \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mgorman@suse.de \
--cc=mhocko@suse.cz \
--cc=mtk.manpages@gmail.com \
--cc=public@rsjtdrjgfuzkfg.com \
--cc=raindel@mellanox.com \
--cc=riel@redhat.com \
--cc=serge.hallyn@canonical.com \
--cc=serge.hallyn@ubuntu.com \
--cc=seth.forshee@canonical.com \
--cc=tytso@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
--cc=willy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox