From: Paul Moore <paul@paul-moore.com>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Yan, Zheng" <zyan@redhat.com>, Sage Weil <sage@redhat.com>,
Ilya Dryomov <idryomov@gmail.com>,
Steve French <sfrench@samba.org>, Jan Kara <jack@suse.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
"Theodore Ts'o" <tytso@mit.edu>,
Steven Whitehouse <swhiteho@redhat.com>,
Bob Peterson <rpeterso@redhat.com>, Jeff Dike <jdike@addtoit.com>,
Richard Weinberger <richard@nod.at>,
Mark Fasheh <mfasheh@suse.com>, Joel Becker <jlbec@evilplan.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Dave Chinner <david@fromorbit.com>,
xfs@oss.sgi.com, Tejun Heo <tj@kernel.org>,
Li Zefan <lizefan@huawei.com>,
Johannes Weiner <hannes@cmpxchg.org>,
"David S. Miller" <davem@davemloft.net>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Jens Axboe
Subject: Re: [PATCH] fs: create and use seq_show_option for escaping
Date: Mon, 10 Aug 2015 17:12:18 -0400 [thread overview]
Message-ID: <1643551.Z65F38WpRq@sifl> (raw)
In-Reply-To: <20150807234150.GA11735@www.outflux.net>
On Friday, August 07, 2015 04:41:50 PM Kees Cook wrote:
> Many file systems that implement the show_options hook fail to correctly
> escape their output which could lead to unescaped characters (e.g. new
> lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This
> could lead to confusion, spoofed entries (resulting in things like
> systemd issuing false d-bus "mount" notifications), and who knows
> what else. This looks like it would only be the root user stepping on
> themselves, but it's possible weird things could happen in containers
> or in other situations with delegated mount privileges.
>
> Here's an example using overlay with setuid fusermount trusting the
> contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use of
> "sudo" is something more sneaky:
>
> $ BASE="ovl"
> $ MNT="$BASE/mnt"
> $ LOW="$BASE/lower"
> $ UP="$BASE/upper"
> $ WORK="$BASE/work/ 0 0
> none /proc fuse.pwn user_id=1000"
> $ mkdir -p "$LOW" "$UP" "$WORK"
> $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none
> /mnt $ cat /proc/mounts
> none /root/ovl/mnt overlay
> rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
> none /proc fuse.pwn user_id=1000 0 0
> $ fusermount -u /proc
> $ cat /proc/mounts
> cat: /proc/mounts: No such file or directory
>
> This fixes the problem by adding new seq_show_option and seq_show_option_n
> helpers, and updating the vulnerable show_option handlers to use them as
> needed. Some, like SELinux, need to be open coded due to unusual existing
> escape mechanisms.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Cc: stable@vger.kernel.org
> ---
> fs/ceph/super.c | 2 +-
> fs/cifs/cifsfs.c | 6 +++---
> fs/ext3/super.c | 4 ++--
> fs/ext4/super.c | 4 ++--
> fs/gfs2/super.c | 6 +++---
> fs/hfs/super.c | 4 ++--
> fs/hfsplus/options.c | 4 ++--
> fs/hostfs/hostfs_kern.c | 2 +-
> fs/ocfs2/super.c | 4 ++--
> fs/overlayfs/super.c | 6 +++---
> fs/reiserfs/super.c | 8 +++++---
> fs/xfs/xfs_super.c | 4 ++--
> include/linux/seq_file.h | 34 ++++++++++++++++++++++++++++++++++
> kernel/cgroup.c | 7 ++++---
> net/ceph/ceph_common.c | 7 +++++--
> security/selinux/hooks.c | 2 +-
> 16 files changed, 72 insertions(+), 32 deletions(-)
The SELinux changes look fine to me.
Acked-by: Paul Moore <paul@paul-moore.com>
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2015-08-10 21:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-07 23:41 [PATCH] fs: create and use seq_show_option for escaping Kees Cook
2015-08-07 23:56 ` Kees Cook
2015-08-08 1:33 ` Serge E. Hallyn
2015-08-08 16:41 ` J. R. Okajima
2015-08-08 19:31 ` Kees Cook
2015-08-10 13:44 ` Jan Kara
2015-08-10 21:12 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1643551.Z65F38WpRq@sifl \
--to=paul@paul-moore.com \
--cc=adilger.kernel@dilger.ca \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=david@fromorbit.com \
--cc=eparis@parisplace.org \
--cc=hannes@cmpxchg.org \
--cc=idryomov@gmail.com \
--cc=jack@suse.com \
--cc=james.l.morris@oracle.com \
--cc=jdike@addtoit.com \
--cc=jlbec@evilplan.org \
--cc=keescook@chromium.org \
--cc=lizefan@huawei.com \
--cc=mfasheh@suse.com \
--cc=miklos@szeredi.hu \
--cc=richard@nod.at \
--cc=rpeterso@redhat.com \
--cc=sage@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=sfrench@samba.org \
--cc=swhiteho@redhat.com \
--cc=tj@kernel.org \
--cc=tytso@mit.edu \
--cc=xfs@oss.sgi.com \
--cc=zyan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).