[PATCH v2 0/3] Relocate execve() sanity checks

[PATCH v2 0/3] Relocate execve() sanity checks

[Kees Cook]

Hi,

While looking at the code paths for the proposed O_MAYEXEC flag, I saw
some things that looked like they should be fixed up.

  exec: Change uselib(2) IS_SREG() failure to EACCES
	This just regularizes the return code on uselib(2).

  exec: Move S_ISREG() check earlier
	This moves the S_ISREG() check even earlier than it was already.

  exec: Move path_noexec() check earlier
	This adds the path_noexec() check to the same place as the
	S_ISREG() check.

v2:
- move checks into may_open() using acc_mode instead of f_mode to correctly
  compose with other inode file type tests[1].
- drop the FMODE_EXEC f_flags -> f_mode change for now since it remains
  unclear if it's useful (and is not needed any more for this series).
v1: https://lore.kernel.org/linux-api/20200518055457.12302-1-keescook@chromium.org/

Thanks!

-Kees

[1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/

Kees Cook (3):
  exec: Change uselib(2) IS_SREG() failure to EACCES
  exec: Move S_ISREG() check earlier
  exec: Move path_noexec() check earlier

 fs/exec.c  | 23 ++++++++++++++---------
 fs/namei.c | 10 ++++++++--
 fs/open.c  |  6 ------
 3 files changed, 22 insertions(+), 17 deletions(-)

-- 
2.25.1

[PATCH v2 1/3] exec: Change uselib(2) IS_SREG() failure to EACCES

[Kees Cook]

Change uselib(2)' S_ISREG() error return to EACCES instead of EINVAL so
the behavior matches execve(2), and the seemingly documented value.
The "not a regular file" failure mode of execve(2) is explicitly
documented[1], but it is not mentioned in uselib(2)[2] which does,
however, say that open(2) and mmap(2) errors may apply. The documentation
for open(2) does not include a "not a regular file" error[3], but mmap(2)
does[4], and it is EACCES.

[1] http://man7.org/linux/man-pages/man2/execve.2.html#ERRORS
[2] http://man7.org/linux/man-pages/man2/uselib.2.html#ERRORS
[3] http://man7.org/linux/man-pages/man2/open.2.html#ERRORS
[4] http://man7.org/linux/man-pages/man2/mmap.2.html#ERRORS

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 fs/exec.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 06b4c550af5d..30735ce1dc0e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -139,11 +139,10 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
 	if (IS_ERR(file))
 		goto out;
 
-	error = -EINVAL;
+	error = -EACCES;
 	if (!S_ISREG(file_inode(file)->i_mode))
 		goto exit;
 
-	error = -EACCES;
 	if (path_noexec(&file->f_path))
 		goto exit;
 
-- 
2.25.1

[PATCH v2 2/3] exec: Move S_ISREG() check earlier

[Kees Cook]

The execve(2)/uselib(2) syscalls have always rejected non-regular
files. Recently, it was noticed that a deadlock was introduced when trying
to execute pipes, as the S_ISREG() test was happening too late. This was
fixed in commit 73601ea5b7b1 ("fs/open.c: allow opening only regular files
during execve()"), but it was added after inode_permission() had already
run, which meant LSMs could see bogus attempts to execute non-regular
files.

Move the test into the other inode type checks (which already look
for other pathological conditions[1]). Since there is no need to use
FMODE_EXEC while we still have access to "acc_mode", also switch the
test to MAY_EXEC.

Also include a comment with the redundant S_ISREG() checks at the end of
execve(2)/uselib(2) to note that they are present to avoid any mistakes.

My notes on the call path, and related arguments, checks, etc:

do_open_execat()
    struct open_flags open_exec_flags = {
        .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
        .acc_mode = MAY_EXEC,
        ...
    do_filp_open(dfd, filename, open_flags)
        path_openat(nameidata, open_flags, flags)
            file = alloc_empty_file(open_flags, current_cred());
            do_open(nameidata, file, open_flags)
                may_open(path, acc_mode, open_flag)
		    /* new location of MAY_EXEC vs S_ISREG() test */
                    inode_permission(inode, MAY_OPEN | acc_mode)
                        security_inode_permission(inode, acc_mode)
                vfs_open(path, file)
                    do_dentry_open(file, path->dentry->d_inode, open)
                        /* old location of FMODE_EXEC vs S_ISREG() test */
                        security_file_open(f)
                        open()

[1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/exec.c  | 14 ++++++++++++--
 fs/namei.c |  6 ++++--
 fs/open.c  |  6 ------
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 30735ce1dc0e..2b708629dcd6 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -139,8 +139,13 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
 	if (IS_ERR(file))
 		goto out;
 
+	/*
+	 * may_open() has already checked for this, so it should be
+	 * impossible to trip now. But we need to be extra cautious
+	 * and check again at the very end too.
+	 */
 	error = -EACCES;
-	if (!S_ISREG(file_inode(file)->i_mode))
+	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
 		goto exit;
 
 	if (path_noexec(&file->f_path))
@@ -860,8 +865,13 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
 	if (IS_ERR(file))
 		goto out;
 
+	/*
+	 * may_open() has already checked for this, so it should be
+	 * impossible to trip now. But we need to be extra cautious
+	 * and check again at the very end too.
+	 */
 	err = -EACCES;
-	if (!S_ISREG(file_inode(file)->i_mode))
+	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
 		goto exit;
 
 	if (path_noexec(&file->f_path))
diff --git a/fs/namei.c b/fs/namei.c
index a320371899cf..0a759b68d66e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2835,16 +2835,18 @@ static int may_open(const struct path *path, int acc_mode, int flag)
 	case S_IFLNK:
 		return -ELOOP;
 	case S_IFDIR:
-		if (acc_mode & MAY_WRITE)
+		if (acc_mode & (MAY_WRITE | MAY_EXEC))
 			return -EISDIR;
 		break;
 	case S_IFBLK:
 	case S_IFCHR:
 		if (!may_open_dev(path))
 			return -EACCES;
-		/*FALLTHRU*/
+		fallthrough;
 	case S_IFIFO:
 	case S_IFSOCK:
+		if (acc_mode & MAY_EXEC)
+			return -EACCES;
 		flag &= ~O_TRUNC;
 		break;
 	}
diff --git a/fs/open.c b/fs/open.c
index 719b320ede52..bb16e4e3cd57 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -753,12 +753,6 @@ static int do_dentry_open(struct file *f,
 		return 0;
 	}
 
-	/* Any file opened for execve()/uselib() has to be a regular file. */
-	if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) {
-		error = -EACCES;
-		goto cleanup_file;
-	}
-
 	if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
 		error = get_write_access(inode);
 		if (unlikely(error))
-- 
2.25.1

[PATCH v2 3/3] exec: Move path_noexec() check earlier

[Kees Cook]

The path_noexec() check, like the regular file check, was happening too
late, letting LSMs see impossible execve()s. Check it earlier as well
in may_open() and collect the redundant fs/exec.c path_noexec() test
under the same robustness comment as the S_ISREG() check.

My notes on the call path, and related arguments, checks, etc:

do_open_execat()
    struct open_flags open_exec_flags = {
        .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
        .acc_mode = MAY_EXEC,
        ...
    do_filp_open(dfd, filename, open_flags)
        path_openat(nameidata, open_flags, flags)
            file = alloc_empty_file(open_flags, current_cred());
            do_open(nameidata, file, open_flags)
                may_open(path, acc_mode, open_flag)
                    /* new location of MAY_EXEC vs path_noexec() test */
                    inode_permission(inode, MAY_OPEN | acc_mode)
                        security_inode_permission(inode, acc_mode)
                vfs_open(path, file)
                    do_dentry_open(file, path->dentry->d_inode, open)
                        security_file_open(f)
                        open()
    /* old location of path_noexec() test */

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/exec.c  | 12 ++++--------
 fs/namei.c |  4 ++++
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 2b708629dcd6..7ac50a260df3 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -145,10 +145,8 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
 	 * and check again at the very end too.
 	 */
 	error = -EACCES;
-	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
-		goto exit;
-
-	if (path_noexec(&file->f_path))
+	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
+			 path_noexec(&file->f_path)))
 		goto exit;
 
 	fsnotify_open(file);
@@ -871,10 +869,8 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
 	 * and check again at the very end too.
 	 */
 	err = -EACCES;
-	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
-		goto exit;
-
-	if (path_noexec(&file->f_path))
+	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
+			 path_noexec(&file->f_path)))
 		goto exit;
 
 	err = deny_write_access(file);
diff --git a/fs/namei.c b/fs/namei.c
index 0a759b68d66e..41e6fed8ce69 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2849,6 +2849,10 @@ static int may_open(const struct path *path, int acc_mode, int flag)
 			return -EACCES;
 		flag &= ~O_TRUNC;
 		break;
+	case S_IFREG:
+		if ((acc_mode & MAY_EXEC) && path_noexec(path))
+			return -EACCES;
+		break;
 	}
 
 	error = inode_permission(inode, MAY_OPEN | acc_mode);
-- 
2.25.1

Re: [PATCH v2 0/3] Relocate execve() sanity checks

[Andrew Morton]

On Fri,  5 Jun 2020 09:00:10 -0700 Kees Cook <keescook@chromium.org> wrote:

> While looking at the code paths for the proposed O_MAYEXEC flag, I saw
> some things that looked like they should be fixed up.
> 
>   exec: Change uselib(2) IS_SREG() failure to EACCES
> 	This just regularizes the return code on uselib(2).
> 
>   exec: Move S_ISREG() check earlier
> 	This moves the S_ISREG() check even earlier than it was already.
> 
>   exec: Move path_noexec() check earlier
> 	This adds the path_noexec() check to the same place as the
> 	S_ISREG() check.

Thanks.

These don't seem super-urgent and they aren't super-reviewed, so I
suggest we hold them off until the next cycle?

Re: [PATCH v2 0/3] Relocate execve() sanity checks

[Kees Cook]

On Fri, Jun 05, 2020 at 05:40:53PM -0700, Andrew Morton wrote:
> On Fri,  5 Jun 2020 09:00:10 -0700 Kees Cook <keescook@chromium.org> wrote:
> 
> > While looking at the code paths for the proposed O_MAYEXEC flag, I saw
> > some things that looked like they should be fixed up.
> > 
> >   exec: Change uselib(2) IS_SREG() failure to EACCES
> > 	This just regularizes the return code on uselib(2).
> > 
> >   exec: Move S_ISREG() check earlier
> > 	This moves the S_ISREG() check even earlier than it was already.
> > 
> >   exec: Move path_noexec() check earlier
> > 	This adds the path_noexec() check to the same place as the
> > 	S_ISREG() check.
> 
> Thanks.
> 
> These don't seem super-urgent and they aren't super-reviewed, so I
> suggest we hold them off until the next cycle?

Agreed; that's fine by me. It's mostly clean up and preparation for
performing future checking through the MAY_EXEC path.

And I'd love to get an Ack from Al or Aleksa, nudge nudge. :)

-- 
Kees Cook

Re: [PATCH v2 2/3] exec: Move S_ISREG() check earlier

[Marc Zyngier]

On Fri,  5 Jun 2020 09:00:12 -0700
Kees Cook <keescook@chromium.org> wrote:

Hi Kees,

> The execve(2)/uselib(2) syscalls have always rejected non-regular
> files. Recently, it was noticed that a deadlock was introduced when trying
> to execute pipes, as the S_ISREG() test was happening too late. This was
> fixed in commit 73601ea5b7b1 ("fs/open.c: allow opening only regular files
> during execve()"), but it was added after inode_permission() had already
> run, which meant LSMs could see bogus attempts to execute non-regular
> files.
> 
> Move the test into the other inode type checks (which already look
> for other pathological conditions[1]). Since there is no need to use
> FMODE_EXEC while we still have access to "acc_mode", also switch the
> test to MAY_EXEC.
> 
> Also include a comment with the redundant S_ISREG() checks at the end of
> execve(2)/uselib(2) to note that they are present to avoid any mistakes.
> 
> My notes on the call path, and related arguments, checks, etc:
> 
> do_open_execat()
>     struct open_flags open_exec_flags = {
>         .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
>         .acc_mode = MAY_EXEC,
>         ...
>     do_filp_open(dfd, filename, open_flags)
>         path_openat(nameidata, open_flags, flags)
>             file = alloc_empty_file(open_flags, current_cred());
>             do_open(nameidata, file, open_flags)
>                 may_open(path, acc_mode, open_flag)
> 		    /* new location of MAY_EXEC vs S_ISREG() test */
>                     inode_permission(inode, MAY_OPEN | acc_mode)
>                         security_inode_permission(inode, acc_mode)
>                 vfs_open(path, file)
>                     do_dentry_open(file, path->dentry->d_inode, open)
>                         /* old location of FMODE_EXEC vs S_ISREG() test */
>                         security_file_open(f)
>                         open()
> 
> [1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  fs/exec.c  | 14 ++++++++++++--
>  fs/namei.c |  6 ++++--
>  fs/open.c  |  6 ------
>  3 files changed, 16 insertions(+), 10 deletions(-)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index 30735ce1dc0e..2b708629dcd6 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -139,8 +139,13 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
>  	if (IS_ERR(file))
>  		goto out;
>  
> +	/*
> +	 * may_open() has already checked for this, so it should be
> +	 * impossible to trip now. But we need to be extra cautious
> +	 * and check again at the very end too.
> +	 */
>  	error = -EACCES;
> -	if (!S_ISREG(file_inode(file)->i_mode))
> +	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
>  		goto exit;
>  
>  	if (path_noexec(&file->f_path))
> @@ -860,8 +865,13 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
>  	if (IS_ERR(file))
>  		goto out;
>  
> +	/*
> +	 * may_open() has already checked for this, so it should be
> +	 * impossible to trip now. But we need to be extra cautious
> +	 * and check again at the very end too.
> +	 */
>  	err = -EACCES;
> -	if (!S_ISREG(file_inode(file)->i_mode))
> +	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
>  		goto exit;
>  
>  	if (path_noexec(&file->f_path))
> diff --git a/fs/namei.c b/fs/namei.c
> index a320371899cf..0a759b68d66e 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -2835,16 +2835,18 @@ static int may_open(const struct path *path, int acc_mode, int flag)
>  	case S_IFLNK:
>  		return -ELOOP;
>  	case S_IFDIR:
> -		if (acc_mode & MAY_WRITE)
> +		if (acc_mode & (MAY_WRITE | MAY_EXEC))
>  			return -EISDIR;

This seems to change (break?) the behaviour of syscalls such as execv,
which can now return -EISDIR, whereas the existing behaviour was to
return -EACCES. The man page never hints at the possibility of -EISDIR
being returned, making it feel like a regression.

POSIX (FWIW) also says:

<quote>
[EACCES]
    The new process image file is not a regular file and the
    implementation does not support execution of files of its type.
</quote>

This has been picked up by the Bionic test suite[1], but can just as
easily be reproduced with the following snippet:

$ cat x.c
#include <unistd.h>
#include <stdio.h>
int main(int argc, char *argv[])
{
	execv("/", NULL);
	perror("execv");
	return 0;
}

Before this patch:
$ ./x
execv: Permission denied

After this patch:
$ ./x
execv: Is a directory


Thanks,

	M.

[1] https://android.googlesource.com/platform/bionic/+/master/tests/unistd_test.cpp#1346
-- 
Jazz is not dead. It just smells funny...

Re: [PATCH v2 2/3] exec: Move S_ISREG() check earlier

[Kees Cook]

On Thu, Aug 13, 2020 at 03:13:05PM +0100, Marc Zyngier wrote:
> On Fri,  5 Jun 2020 09:00:12 -0700
> Kees Cook <keescook@chromium.org> wrote:
> 
> Hi Kees,
> 
> > The execve(2)/uselib(2) syscalls have always rejected non-regular
> > files. Recently, it was noticed that a deadlock was introduced when trying
> > to execute pipes, as the S_ISREG() test was happening too late. This was
> > fixed in commit 73601ea5b7b1 ("fs/open.c: allow opening only regular files
> > during execve()"), but it was added after inode_permission() had already
> > run, which meant LSMs could see bogus attempts to execute non-regular
> > files.
> > 
> > Move the test into the other inode type checks (which already look
> > for other pathological conditions[1]). Since there is no need to use
> > FMODE_EXEC while we still have access to "acc_mode", also switch the
> > test to MAY_EXEC.
> > 
> > Also include a comment with the redundant S_ISREG() checks at the end of
> > execve(2)/uselib(2) to note that they are present to avoid any mistakes.
> > 
> > My notes on the call path, and related arguments, checks, etc:
> > 
> > do_open_execat()
> >     struct open_flags open_exec_flags = {
> >         .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
> >         .acc_mode = MAY_EXEC,
> >         ...
> >     do_filp_open(dfd, filename, open_flags)
> >         path_openat(nameidata, open_flags, flags)
> >             file = alloc_empty_file(open_flags, current_cred());
> >             do_open(nameidata, file, open_flags)
> >                 may_open(path, acc_mode, open_flag)
> > 		    /* new location of MAY_EXEC vs S_ISREG() test */
> >                     inode_permission(inode, MAY_OPEN | acc_mode)
> >                         security_inode_permission(inode, acc_mode)
> >                 vfs_open(path, file)
> >                     do_dentry_open(file, path->dentry->d_inode, open)
> >                         /* old location of FMODE_EXEC vs S_ISREG() test */
> >                         security_file_open(f)
> >                         open()
> > 
> > [1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/
> > 
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> >  fs/exec.c  | 14 ++++++++++++--
> >  fs/namei.c |  6 ++++--
> >  fs/open.c  |  6 ------
> >  3 files changed, 16 insertions(+), 10 deletions(-)
> > 
> > diff --git a/fs/exec.c b/fs/exec.c
> > index 30735ce1dc0e..2b708629dcd6 100644
> > --- a/fs/exec.c
> > +++ b/fs/exec.c
> > @@ -139,8 +139,13 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
> >  	if (IS_ERR(file))
> >  		goto out;
> >  
> > +	/*
> > +	 * may_open() has already checked for this, so it should be
> > +	 * impossible to trip now. But we need to be extra cautious
> > +	 * and check again at the very end too.
> > +	 */
> >  	error = -EACCES;
> > -	if (!S_ISREG(file_inode(file)->i_mode))
> > +	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
> >  		goto exit;
> >  
> >  	if (path_noexec(&file->f_path))
> > @@ -860,8 +865,13 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
> >  	if (IS_ERR(file))
> >  		goto out;
> >  
> > +	/*
> > +	 * may_open() has already checked for this, so it should be
> > +	 * impossible to trip now. But we need to be extra cautious
> > +	 * and check again at the very end too.
> > +	 */
> >  	err = -EACCES;
> > -	if (!S_ISREG(file_inode(file)->i_mode))
> > +	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
> >  		goto exit;
> >  
> >  	if (path_noexec(&file->f_path))
> > diff --git a/fs/namei.c b/fs/namei.c
> > index a320371899cf..0a759b68d66e 100644
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -2835,16 +2835,18 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> >  	case S_IFLNK:
> >  		return -ELOOP;
> >  	case S_IFDIR:
> > -		if (acc_mode & MAY_WRITE)
> > +		if (acc_mode & (MAY_WRITE | MAY_EXEC))
> >  			return -EISDIR;
> 
> This seems to change (break?) the behaviour of syscalls such as execv,
> which can now return -EISDIR, whereas the existing behaviour was to
> return -EACCES. The man page never hints at the possibility of -EISDIR
> being returned, making it feel like a regression.
> 
> POSIX (FWIW) also says:
> 
> <quote>
> [EACCES]
>     The new process image file is not a regular file and the
>     implementation does not support execution of files of its type.
> </quote>
> 
> This has been picked up by the Bionic test suite[1], but can just as
> easily be reproduced with the following snippet:
> 
> $ cat x.c
> #include <unistd.h>
> #include <stdio.h>
> int main(int argc, char *argv[])
> {
> 	execv("/", NULL);
> 	perror("execv");
> 	return 0;
> }
> 
> Before this patch:
> $ ./x
> execv: Permission denied
> 
> After this patch:
> $ ./x
> execv: Is a directory

That's a good point, yes. I will submit a fix for this.

-- 
Kees Cook