linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] fs/binfmt: Changed order of elf and misc to prevent privilege escalation
@ 2019-06-17 18:58 Carmeli Tamir
  2019-06-24 16:01 ` Tamir Carmeli
  0 siblings, 1 reply; 2+ messages in thread
From: Carmeli Tamir @ 2019-06-17 18:58 UTC (permalink / raw)
  To: viro, carmeli.tamir, linux-fsdevel, linux-kernel

The misc format handler is configured to work in many boards
and distributions, exposing a  volnurability that enables an 
attacker with a temporary root access to configure the system
to gain a hidden persistent root acces. This can be easily 
demonstrated using https://github.com/toffan/binfmt_misc .

According to binfmt_misc documentation 
(https://lwn.net/Articles/679310/), the handler is used
to execute more binary formats, e.g. execs compiled
for different architectures. After this patch, every 
mentioned example in the documentation shall work.

I tested this patch using a "positive example" - running
and ARM executable on an x86 machine using a qemu-arm misc 
handler, and a "negative example" of running the demostration 
by toffan I mention above. Before the patch both examples 
work, and after the patch only the positive example work
where the volnurability is prevented.

Signed-off-by: Carmeli Tamir <carmeli.tamir@gmail.com>
---
 fs/binfmt_elf.c  | 2 +-
 fs/binfmt_misc.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index d4e11b2e04f6..3a2afe84943c 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -2411,7 +2411,7 @@ static int elf_core_dump(struct coredump_params *cprm)
 
 static int __init init_elf_binfmt(void)
 {
-	register_binfmt(&elf_format);
+	insert_binfmt(&elf_format);
 	return 0;
 }
 
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index b8e145552ec7..f4a9e1154cae 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -859,7 +859,7 @@ static int __init init_misc_binfmt(void)
 {
 	int err = register_filesystem(&bm_fs_type);
 	if (!err)
-		insert_binfmt(&misc_format);
+		register_binfmt(&misc_format);
 	return err;
 }
 
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] fs/binfmt: Changed order of elf and misc to prevent privilege escalation
  2019-06-17 18:58 [PATCH] fs/binfmt: Changed order of elf and misc to prevent privilege escalation Carmeli Tamir
@ 2019-06-24 16:01 ` Tamir Carmeli
  0 siblings, 0 replies; 2+ messages in thread
From: Tamir Carmeli @ 2019-06-24 16:01 UTC (permalink / raw)
  To: viro, Tamir Carmeli, linux-fsdevel, linux-kernel

Hi,
I'd appreciate feedback on the patch. Seems like we can solve a stupid
"hiding" technique, more "advanced" than just marking an executable
with suid, that leads to privilege escalation. Please tell me if I
miss something.


On Mon, Jun 17, 2019 at 9:58 PM Carmeli Tamir <carmeli.tamir@gmail.com> wrote:
>
> The misc format handler is configured to work in many boards
> and distributions, exposing a  volnurability that enables an
> attacker with a temporary root access to configure the system
> to gain a hidden persistent root acces. This can be easily
> demonstrated using https://github.com/toffan/binfmt_misc .
>
> According to binfmt_misc documentation
> (https://lwn.net/Articles/679310/), the handler is used
> to execute more binary formats, e.g. execs compiled
> for different architectures. After this patch, every
> mentioned example in the documentation shall work.
>
> I tested this patch using a "positive example" - running
> and ARM executable on an x86 machine using a qemu-arm misc
> handler, and a "negative example" of running the demostration
> by toffan I mention above. Before the patch both examples
> work, and after the patch only the positive example work
> where the volnurability is prevented.
>
> Signed-off-by: Carmeli Tamir <carmeli.tamir@gmail.com>
> ---
>  fs/binfmt_elf.c  | 2 +-
>  fs/binfmt_misc.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index d4e11b2e04f6..3a2afe84943c 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -2411,7 +2411,7 @@ static int elf_core_dump(struct coredump_params *cprm)
>
>  static int __init init_elf_binfmt(void)
>  {
> -       register_binfmt(&elf_format);
> +       insert_binfmt(&elf_format);
>         return 0;
>  }
>
> diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
> index b8e145552ec7..f4a9e1154cae 100644
> --- a/fs/binfmt_misc.c
> +++ b/fs/binfmt_misc.c
> @@ -859,7 +859,7 @@ static int __init init_misc_binfmt(void)
>  {
>         int err = register_filesystem(&bm_fs_type);
>         if (!err)
> -               insert_binfmt(&misc_format);
> +               register_binfmt(&misc_format);
>         return err;
>  }
>
> --
> 2.21.0
>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-24 16:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-17 18:58 [PATCH] fs/binfmt: Changed order of elf and misc to prevent privilege escalation Carmeli Tamir
2019-06-24 16:01 ` Tamir Carmeli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).