From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dominik Czarnota <dominik.czarnota@trailofbits.com>,
stable <stable@vger.kernel.org>, Jessica Yu <jeyu@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andriin@fb.com>,
KP Singh <kpsingh@chromium.org>,
"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>,
"David S. Miller" <davem@davemloft.net>,
Masami Hiramatsu <mhiramat@kernel.org>,
Jakub Kicinski <kuba@kernel.org>,
"Steven Rostedt (VMware)" <rostedt@goodmis.org>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Will Deacon <will@kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Marc Zyngier <maz@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Matteo Croce <mcroce@redhat.com>,
Edward Cree <ecree@solarflare.com>,
Nicolas Dichtel <nicolas.dichtel@6wind.com>,
Alexander Lobakin <alobakin@dlink.ru>,
Thomas Richter <tmricht@linux.ibm.com>,
Ingo Molnar <mingo@kernel.org>, Netdev <netdev@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/5] kprobes: Do not expose probe addresses to non-CAP_SYSLOG
Date: Fri, 3 Jul 2020 08:13:24 -0700 [thread overview]
Message-ID: <202007021815.97C76C192@keescook> (raw)
In-Reply-To: <CAHk-=wiZi-v8Xgu_B3wV0B4RQYngKyPeONdiXNgrHJFU5jbe1w@mail.gmail.com>
On Thu, Jul 02, 2020 at 06:00:17PM -0700, Linus Torvalds wrote:
> On Thu, Jul 2, 2020 at 4:26 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > The kprobe show() functions were using "current"'s creds instead
> > of the file opener's creds for kallsyms visibility. Fix to use
> > seq_file->file->f_cred.
>
> Side note: I have a distinct - but despite that possibly quite
> incorrect - memory that I've discussed with somebody several years ago
> about making "current_cred()" simply warn in any IO context.
>
> IOW, we could have read and write just increment/decrement a
> per-thread counter, and have current_cred() do a WARN_ON_ONCE() if
> it's called with that counter incremented.
That does sound familiar. I can't find a thread on it, but my search
abilities are poor. :) So an increment/decrement in all the IO-related
syscalls, or were you thinking of some other location?
> The issue of ioctl's is a bit less obvious - there are reasons to
> argue those should also use open-time credentials, but on the other
> hand I think it's reasonable to pass a file descriptor to a suid app
> in order for that app to do things that the normal user cannot.
>
> But read/write are dangerous because of the "it's so easy to fool suid
> apps to read/write stdin/stdout".
>
> So pread/pwrite/ioctl/splice etc are things that suid applications
> very much do on purpose to affect a file descriptor. But plain
> read/write are things that might be accidental and used by attack
> vectors.
So probably just start with read/write and tighten it over time, if we
find other clear places, leaving ioctl/pread/pwrite/splice alone.
> If somebody is interested in looking into things like that, it might
> be a good idea to have kernel threads with that counter incremented by
>
> Just throwing this idea out in case somebody wants to try it. It's not
> just "current_cred", of course. It's all the current_cred_xxx() users
> too. But it may be that there are a ton of false positives because
> maybe some code on purpose ends up doing things like just *comparing*
> current_cred with file->f_cred and then that would warn too.
Yeah ... and I think the kthread test should answer that question.
--
Kees Cook
next prev parent reply other threads:[~2020-07-03 15:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-02 23:26 [PATCH 0/5] Refactor kallsyms_show_value() users for correct cred Kees Cook
2020-07-02 23:26 ` [PATCH 1/5] kallsyms: Refactor kallsyms_show_value() to take cred Kees Cook
2020-07-10 14:03 ` Sasha Levin
2020-07-10 15:57 ` Kees Cook
2020-07-11 16:07 ` Sasha Levin
2020-07-02 23:26 ` [PATCH 2/5] module: Refactor section attr into bin attribute Kees Cook
2020-07-03 6:02 ` Greg Kroah-Hartman
2020-07-03 15:29 ` Kees Cook
2020-07-08 16:10 ` Jessica Yu
2020-07-02 23:26 ` [PATCH 3/5] module: Do not expose section addresses to non-CAP_SYSLOG Kees Cook
2020-07-08 16:12 ` Jessica Yu
2020-07-02 23:26 ` [PATCH 4/5] kprobes: Do not expose probe " Kees Cook
2020-07-03 1:00 ` Linus Torvalds
2020-07-03 15:13 ` Kees Cook [this message]
2020-07-03 15:50 ` Kees Cook
2020-07-05 20:10 ` Linus Torvalds
2020-07-05 20:19 ` Kees Cook
2020-07-10 14:09 ` Masami Hiramatsu
2020-07-02 23:26 ` [PATCH 5/5] bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007021815.97C76C192@keescook \
--to=keescook@chromium.org \
--cc=0x7f454c46@gmail.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alobakin@dlink.ru \
--cc=andriin@fb.com \
--cc=anil.s.keshavamurthy@intel.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dominik.czarnota@trailofbits.com \
--cc=ecree@solarflare.com \
--cc=gregkh@linuxfoundation.org \
--cc=jeyu@kernel.org \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=maz@kernel.org \
--cc=mcroce@redhat.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=naveen.n.rao@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=rostedt@goodmis.org \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=tmricht@linux.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.