From: Christian Brauner <christian@brauner.io>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: Jann Horn <jannh@google.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
jlayton@kernel.org, Bruce Fields <bfields@fieldses.org>,
Al Viro <viro@zeniv.linux.org.uk>, Arnd Bergmann <arnd@arndb.de>,
shuah@kernel.org, David Howells <dhowells@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org,
linux-arch <linux-arch@vger.kernel.org>,
linux-kselftest@vger.kernel.org, dev@opencontainers.org,
containers@lists.linux-foundation.org,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution
Date: Thu, 4 Oct 2018 19:31:22 +0200 [thread overview]
Message-ID: <20181004173121.e6tfwd6nc2geuv5c@brauner.io> (raw)
In-Reply-To: <20181004162611.vdlujbdguvagalpt@ryuk>
On Fri, Oct 05, 2018 at 02:26:11AM +1000, Aleksa Sarai wrote:
> On 2018-09-29, Jann Horn <jannh@google.com> wrote:
> > You attempt to open "C/../../etc/passwd" under the root "/A/B".
> > Something else concurrently moves /A/B/C to /A/C. This can result in
> > the following:
> >
> > 1. You start the path walk and reach /A/B/C.
> > 2. The other process moves /A/B/C to /A/C. Your path walk is now at /A/C.
> > 3. Your path walk follows the first ".." up into /A. This is outside
> > the process root, but you never actually encountered the process root,
> > so you don't notice.
> > 4. Your path walk follows the second ".." up to /. Again, this is
> > outside the process root, but you don't notice.
> > 5. Your path walk walks down to /etc/passwd, and the open completes
> > successfully. You now have an fd pointing outside your chroot.
>
> I've been playing with this and I have the following patch, which
> according to my testing protects against attacks where ".." skips over
> nd->root. It abuses __d_path to figure out if nd->path can be resolved
> from nd->root (obviously a proper version of this patch would refactor
> __d_path so it could be used like this -- and would not return
> -EMULTIHOP).
>
> I've also attached my reproducer. With it, I was seeing fairly constant
> breakouts before this patch and after it I didn't see a single breakout
> after running it overnight. Obviously this is not conclusive, but I'm
> hoping that it can show what my idea for protecting against ".." was.
>
> Does this patch make sense? Or is there something wrong with it that I'm
> not seeing?
Interesting.
Apart from the abuse of __d_path() :) the question I'd have is whether
this just minimizes the race window or if you can provide a sound
argument that this actually can't happen anymore with this patch.
>
> --8<-------------------------------------------------------------------
>
> There is a fairly easy-to-exploit race condition with chroot(2) (and
> thus by extension AT_THIS_ROOT and AT_BENEATH) where a rename(2) of a
> path can be used to "skip over" nd->root and thus escape to the
> filesystem above nd->root.
>
> thread1 [attacker]:
> for (;;)
> renameat2(AT_FDCWD, "/a/b/c", AT_FDCWD, "/a/d", RENAME_EXCHANGE);
> thread2 [victim]:
> for (;;)
> openat(dirb, "b/c/../../etc/shadow", O_THISROOT);
>
> With fairly significant regularity, thread2 will resolve to
> "/etc/shadow" rather than "/a/b/etc/shadow". With this patch, such cases
> will be detected during ".." resolution (which is the weak point of
> chroot(2) -- since walking *into* a subdirectory tautologically cannot
> result in you walking *outside* nd->root).
>
> The use of __d_path here might seem suspect, however we don't mind if a
> path is moved from within the chroot to outside the chroot and we
> incorrectly decide it is safe (because at that point we are still within
> the set of files which were accessible at the beginning of resolution).
> However, we can fail resolution on the next path component if it remains
> outside of the root. A path which has always been outside nd->root
> during resolution will never be resolveable from nd->root and thus will
> always be blocked.
>
> DO NOT MERGE: Currently this code returns -EMULTIHOP in this case,
> purely as a debugging measure (so that you can see that
> the protection actually does something). Obviously in the
> proper patch this will return -EXDEV.
>
> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
> ---
> fs/namei.c | 32 ++++++++++++++++++++++++++++++--
> 1 file changed, 30 insertions(+), 2 deletions(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 6f995e6de6b1..c8349693d47b 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -53,8 +53,8 @@
> * The new code replaces the old recursive symlink resolution with
> * an iterative one (in case of non-nested symlink chains). It does
> * this with calls to <fs>_follow_link().
> - * As a side effect, dir_namei(), _namei() and follow_link() are now
> - * replaced with a single function lookup_dentry() that can handle all
> + * As a side effect, dir_namei(), _namei() and follow_link() are now
> + * replaced with a single function lookup_dentry() that can handle all
> * the special cases of the former code.
> *
> * With the new dcache, the pathname is stored at each inode, at least as
> @@ -1375,6 +1375,20 @@ static int follow_dotdot_rcu(struct nameidata *nd)
> return -EXDEV;
> break;
> }
> + if (unlikely(nd->flags & (LOOKUP_BENEATH | LOOKUP_CHROOT))) {
> + char *pathbuf, *pathptr;
> +
> + pathbuf = kmalloc(PATH_MAX, GFP_ATOMIC);
> + if (!pathbuf)
> + return -ECHILD;
> + pathptr = __d_path(&nd->path, &nd->root, pathbuf, PATH_MAX);
> + kfree(pathbuf);
> + if (IS_ERR_OR_NULL(pathptr)) {
> + if (!pathptr)
> + pathptr = ERR_PTR(-EMULTIHOP);
> + return PTR_ERR(pathptr);
> + }
> + }
> if (nd->path.dentry != nd->path.mnt->mnt_root) {
> struct dentry *old = nd->path.dentry;
> struct dentry *parent = old->d_parent;
> @@ -1510,6 +1524,20 @@ static int follow_dotdot(struct nameidata *nd)
> return -EXDEV;
> break;
> }
> + if (unlikely(nd->flags & (LOOKUP_BENEATH | LOOKUP_CHROOT))) {
> + char *pathbuf, *pathptr;
> +
> + pathbuf = kmalloc(PATH_MAX, GFP_KERNEL);
> + if (!pathbuf)
> + return -ENOMEM;
> + pathptr = __d_path(&nd->path, &nd->root, pathbuf, PATH_MAX);
> + kfree(pathbuf);
> + if (IS_ERR_OR_NULL(pathptr)) {
> + if (!pathptr)
> + pathptr = ERR_PTR(-EMULTIHOP);
> + return PTR_ERR(pathptr);
> + }
> + }
> if (nd->path.dentry != nd->path.mnt->mnt_root) {
> int ret = path_parent_directory(&nd->path);
> if (ret)
> --
> 2.19.0
>
> --
> Aleksa Sarai
> Senior Software Engineer (Containers)
> SUSE Linux GmbH
> <https://www.cyphar.com/>
next prev parent reply other threads:[~2018-10-05 0:25 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-29 10:34 [PATCH 0/3] namei: implement various scoping AT_* flags Aleksa Sarai
2018-09-29 10:34 ` [PATCH 1/3] namei: implement O_BENEATH-style " Aleksa Sarai
2018-09-29 14:48 ` Christian Brauner
2018-09-29 15:34 ` Aleksa Sarai
2018-09-30 4:38 ` Aleksa Sarai
2018-10-01 12:28 ` Jann Horn
2018-10-01 13:00 ` Christian Brauner
2018-10-01 16:04 ` Aleksa Sarai
2018-10-04 17:20 ` Christian Brauner
2018-09-29 13:15 ` [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Aleksa Sarai
2018-09-29 13:15 ` [PATCH 3/3] selftests: vfs: add AT_* path resolution tests Aleksa Sarai
2018-09-29 16:35 ` [PATCH 2/3] namei: implement AT_THIS_ROOT chroot-like path resolution Jann Horn
2018-09-29 17:25 ` Andy Lutomirski
2018-10-01 9:46 ` Aleksa Sarai
2018-10-01 5:44 ` Aleksa Sarai
2018-10-01 10:13 ` Jann Horn
2018-10-01 16:18 ` Aleksa Sarai
2018-10-04 17:27 ` Christian Brauner
2018-10-01 10:42 ` Christian Brauner
2018-10-01 11:29 ` Jann Horn
2018-10-01 12:35 ` Christian Brauner
2018-10-01 13:55 ` Bruce Fields
2018-10-01 14:28 ` Andy Lutomirski
2018-10-02 7:32 ` Aleksa Sarai
2018-10-03 22:09 ` Andy Lutomirski
2018-10-06 20:56 ` Florian Weimer
2018-10-06 21:49 ` Christian Brauner
2018-10-01 14:00 ` Christian Brauner
2018-10-04 16:26 ` Aleksa Sarai
2018-10-04 17:31 ` Christian Brauner [this message]
2018-10-04 18:26 ` Jann Horn
2018-10-05 15:07 ` Aleksa Sarai
2018-10-05 15:55 ` Jann Horn
2018-10-06 2:10 ` Aleksa Sarai
2018-10-08 10:50 ` Jann Horn
2018-09-29 14:25 ` [PATCH 0/3] namei: implement various scoping AT_* flags Andy Lutomirski
2018-09-29 15:45 ` Aleksa Sarai
2018-09-29 16:34 ` Andy Lutomirski
2018-09-29 19:44 ` Matthew Wilcox
2018-09-29 14:38 ` Christian Brauner
2018-09-30 4:44 ` Aleksa Sarai
2018-09-30 13:54 ` Alban Crequy
2018-09-30 14:02 ` Christian Brauner
2018-09-30 19:45 ` Mickaël Salaün
2018-09-30 21:46 ` Jann Horn
2018-09-30 22:37 ` Mickaël Salaün
2018-10-01 20:14 ` James Morris
2018-10-01 4:08 ` Dave Chinner
2018-10-01 5:47 ` Aleksa Sarai
2018-10-01 6:14 ` Dave Chinner
2018-10-01 13:28 ` David Laight
2018-10-01 16:15 ` Aleksa Sarai
2018-10-03 13:21 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181004173121.e6tfwd6nc2geuv5c@brauner.io \
--to=christian@brauner.io \
--cc=arnd@arndb.de \
--cc=bfields@fieldses.org \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=dev@opencontainers.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luto@kernel.org \
--cc=shuah@kernel.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).