Linux-mm Archive on lore.kernel.org
 help / color / Atom feed
From: Otto Ebeling <otto.ebeling@iki.fi>
To: linux-mm@kvack.org
Cc: Christoph Lameter <clameter@sgi.com>
Subject: [PATCH] Unify migrate_pages and move_pages access checks
Date: Sun, 1 Oct 2017 18:33:39 +0300 (EEST)
Message-ID: <alpine.DEB.2.11.1710011830320.6333@lakka.kapsi.fi> (raw)

Commit 197e7e521384a23b9e585178f3f11c9fa08274b9 ("Sanitize 'move_pages()'
permission checks") fixed a security issue I reported in the move_pages
syscall, and made it so that you can't act on set-uid processes unless
you have the CAP_SYS_PTRACE capability.

Unify the access check logic of migrate_pages to match the new
behavior of move_pages. We discussed this a bit in the security@ list
and thought it'd be good for consistency even though there's no evident
security impact. The NUMA node access checks are left intact and require
CAP_SYS_NICE as before.

Signed-off-by: Otto Ebeling <otto.ebeling@iki.fi>

---
  mm/mempolicy.c | 11 +++--------
  1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 006ba62..abfe469 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -98,6 +98,7 @@
  #include <linux/mmu_notifier.h>
  #include <linux/printk.h>
  #include <linux/swapops.h>
+#include <linux/ptrace.h>

  #include <asm/tlbflush.h>
  #include <linux/uaccess.h>
@@ -1365,7 +1366,6 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned 
long, maxnode,
  		const unsigned long __user *, old_nodes,
  		const unsigned long __user *, new_nodes)
  {
-	const struct cred *cred = current_cred(), *tcred;
  	struct mm_struct *mm = NULL;
  	struct task_struct *task;
  	nodemask_t task_nodes;
@@ -1402,14 +1402,9 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned 
long, maxnode,

  	/*
  	 * Check if this process has the right to modify the specified
-	 * process. The right exists if the process has administrative
-	 * capabilities, superuser privileges or the same
-	 * userid as the target process.
+	 * process. Use the regular "ptrace_may_access()" checks.
  	 */
-	tcred = __task_cred(task);
-	if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, 
tcred->uid) &&
-	    !uid_eq(cred->uid,  tcred->suid) && !uid_eq(cred->uid, 
tcred->uid) &&
-	    !capable(CAP_SYS_NICE)) {
+	if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
  		rcu_read_unlock();
  		err = -EPERM;
  		goto out_put;
-- 
2.1.4

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

             reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-01 15:33 Otto Ebeling [this message]
2017-10-04 14:00 ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.11.1710011830320.6333@lakka.kapsi.fi \
    --to=otto.ebeling@iki.fi \
    --cc=clameter@sgi.com \
    --cc=linux-mm@kvack.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-mm Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mm/0 linux-mm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mm linux-mm/ https://lore.kernel.org/linux-mm \
		linux-mm@kvack.org
	public-inbox-index linux-mm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kvack.linux-mm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git