From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAD_ENC_HEADER,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4462C433DF for ; Tue, 11 Aug 2020 19:31:56 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id CEFC6206B2 for ; Tue, 11 Aug 2020 19:31:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CEFC6206B2 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=xmission.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-19601-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 7495 invoked by uid 550); 11 Aug 2020 19:31:49 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 7475 invoked from network); 11 Aug 2020 19:31:48 -0000 From: ebiederm@xmission.com (Eric W. Biederman) To: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= Cc: linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andrew Morton , Andy Lutomirski , Christian Brauner , Christian Heimes , Daniel Borkmann , Deven Bowers , Dmitry Vyukov , Eric Biggers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Mimi Zohar , Philippe =?utf-8?Q?Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Tetsuo Handa , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org References: <20200723171227.446711-1-mic@digikod.net> <20200723171227.446711-3-mic@digikod.net> Date: Tue, 11 Aug 2020 14:27:54 -0500 In-Reply-To: <20200723171227.446711-3-mic@digikod.net> (=?utf-8?Q?=22Micka?= =?utf-8?Q?=C3=ABl_Sala=C3=BCn=22's?= message of "Thu, 23 Jul 2020 19:12:22 +0200") Message-ID: <87o8nhm18l.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-XM-SPF: eid=1k5ZzU-00036t-PY;;;mid=<87o8nhm18l.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19o313fM1rdJpFj27lRA/GiywQHoqdRBk0= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v7 2/7] exec: Move S_ISREG() check earlier X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Micka=C3=ABl Sala=C3=BCn writes: > From: Kees Cook > > The execve(2)/uselib(2) syscalls have always rejected non-regular > files. Recently, it was noticed that a deadlock was introduced when trying > to execute pipes, as the S_ISREG() test was happening too late. This was > fixed in commit 73601ea5b7b1 ("fs/open.c: allow opening only regular files > during execve()"), but it was added after inode_permission() had already > run, which meant LSMs could see bogus attempts to execute non-regular > files. > > Move the test into the other inode type checks (which already look > for other pathological conditions[1]). Since there is no need to use > FMODE_EXEC while we still have access to "acc_mode", also switch the > test to MAY_EXEC. > > Also include a comment with the redundant S_ISREG() checks at the end of > execve(2)/uselib(2) to note that they are present to avoid any mistakes. The comment is: > + /* > + * may_open() has already checked for this, so it should be > + * impossible to trip now. But we need to be extra cautious > + * and check again at the very end too. > + */ Those comments scare me. Why do you need to be extra cautious? How can the file type possibly change between may_open and anywhere? The type of a file is immutable after it's creation. If the comment said check just in case something went wrong with code maintenance I could understand but that isn't what the comment says. Also the fallthrough change below really should be broken out into it's own change. > My notes on the call path, and related arguments, checks, etc: > > do_open_execat() > struct open_flags open_exec_flags =3D { > .open_flag =3D O_LARGEFILE | O_RDONLY | __FMODE_EXEC, > .acc_mode =3D MAY_EXEC, > ... > do_filp_open(dfd, filename, open_flags) > path_openat(nameidata, open_flags, flags) > file =3D alloc_empty_file(open_flags, current_cred()); > do_open(nameidata, file, open_flags) > may_open(path, acc_mode, open_flag) > /* new location of MAY_EXEC vs S_ISREG() test */ > inode_permission(inode, MAY_OPEN | acc_mode) > security_inode_permission(inode, acc_mode) > vfs_open(path, file) > do_dentry_open(file, path->dentry->d_inode, open) > /* old location of FMODE_EXEC vs S_ISREG() test */ > security_file_open(f) > open() > > [1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/ > > Signed-off-by: Micka=C3=ABl Sala=C3=BCn > Signed-off-by: Kees Cook > Link: https://lore.kernel.org/r/20200605160013.3954297-3-keescook@chromiu= m.org > --- > fs/exec.c | 14 ++++++++++++-- > fs/namei.c | 6 ++++-- > fs/open.c | 6 ------ > 3 files changed, 16 insertions(+), 10 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index d7c937044d10..bdc6a6eb5dce 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -141,8 +141,13 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) > if (IS_ERR(file)) > goto out; >=20=20 > + /* > + * may_open() has already checked for this, so it should be > + * impossible to trip now. But we need to be extra cautious > + * and check again at the very end too. > + */ > error =3D -EACCES; > - if (!S_ISREG(file_inode(file)->i_mode)) > + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode))) > goto exit; >=20=20 > if (path_noexec(&file->f_path)) > @@ -886,8 +891,13 @@ static struct file *do_open_execat(int fd, struct fi= lename *name, int flags) > if (IS_ERR(file)) > goto out; >=20=20 > + /* > + * may_open() has already checked for this, so it should be > + * impossible to trip now. But we need to be extra cautious > + * and check again at the very end too. > + */ > err =3D -EACCES; > - if (!S_ISREG(file_inode(file)->i_mode)) > + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode))) > goto exit; > > if (path_noexec(&file->f_path)) > diff --git a/fs/namei.c b/fs/namei.c > index 72d4219c93ac..a559ad943970 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -2849,16 +2849,18 @@ static int may_open(const struct path *path, int = acc_mode, int flag) > case S_IFLNK: > return -ELOOP; > case S_IFDIR: > - if (acc_mode & MAY_WRITE) > + if (acc_mode & (MAY_WRITE | MAY_EXEC)) > return -EISDIR; > break; > case S_IFBLK: > case S_IFCHR: > if (!may_open_dev(path)) > return -EACCES; > - /*FALLTHRU*/ > + fallthrough; ^^^^^^^^^^^ That is an unrelated change and should be sent separately. > case S_IFIFO: > case S_IFSOCK: > + if (acc_mode & MAY_EXEC) > + return -EACCES; > flag &=3D ~O_TRUNC; > break; > } > diff --git a/fs/open.c b/fs/open.c > index 6cd48a61cda3..623b7506a6db 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -784,12 +784,6 @@ static int do_dentry_open(struct file *f, > return 0; > } >=20=20 > - /* Any file opened for execve()/uselib() has to be a regular file. */ > - if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { > - error =3D -EACCES; > - goto cleanup_file; > - } > - > if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { > error =3D get_write_access(inode); > if (unlikely(error))