From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7CB83BD655 for ; Thu, 2 Apr 2026 11:13:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775128424; cv=none; b=aTPTM+Qkzmh1DSrH8+5DvpbFxsSwyCaA+fc/bMabHl8eNLB33HPsPSXXUYu58CYYn/IsosWzup5TfqGiKKGGIFYs6HsQBX3++qiJ52LdfFnyJa8a/Wj81Efsk2UFwF46N4MLlhvg3AcDGIiceUbSw+D/e0cQHcJQbDCdJ7a7q6U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775128424; c=relaxed/simple; bh=M3qc+I0F4GxcD+gA9/TwfMiwtyU/hxqmGiXMVLoB57E=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=YOAqaeocntm9RQh9Tnw5O3MrihZXQkWrE2RbYCFdGumvup5MeVc6RIhxv3prdGrdlL2KuoVnfRTOetYR0L1oxstDFNhaxWYYPe8CxxiXkLCT90TujXq0O8jJA5RkuzDRgJO1zKyIn30kggMOTcKRKWzYta8pzS8RaFLiUGDgKAc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=m0+qgjpy; arc=none smtp.client-ip=209.85.215.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="m0+qgjpy" Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-c76b994f7a8so333194a12.3 for ; Thu, 02 Apr 2026 04:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775128422; x=1775733222; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=52SFoVGW63tsAPzIixeFMpTy1AONlrZUgj2OkRsGPn8=; b=m0+qgjpyrhJBtn2aI/eEA+e1kTWd4weyd9m3IShAtZe4hxXD8JTXbyjutVumaV9rVw HDm8521aX+wNkkW5ndORp/igTwPG8Pr2C0t9FLVPSZHgF0iM9ncTzW/J9mq76SYYMEOr +Sw/VQUeAqP9dTbgXdMYrELLhooHlELKkZDjLZz2OJgXgwnUsYL9vbBIRrQSe5ygiDzG QVaLpPoCuDdDhgn3jqeNnPDWsP5BfPwYJSriBPuxB8rQ0PvNoFORnyXU8aJYWaNkM8lc lXQJ8j/xzE7Y739gvVdkCpiXH4NDKKEZE7oPpnySEZsqS6ytV4H/PW3lw4XBXSJ4oHip Eing== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775128422; x=1775733222; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=52SFoVGW63tsAPzIixeFMpTy1AONlrZUgj2OkRsGPn8=; b=WonsYOSS9F0/Wvb20XeKj11wpXugqyP5S0Xq6RHZdkP9OygpyR09pIO9KUXqeWfD9y qaKxJEh+HZjC5SWxV0Tsw08kAQbc5fVQvEGTNd9yXJieqDUsx6sMjjQUmhqYatYY+ZwW pZZC8SBXOi341SXuY8OsNkErM3c/sP7mQ6PEpyueDF/6dos/1FsqbdGEn7kmmhlwI/S1 LDSueDpO1ZbdEsHppud/t7rE1BfaE9T5CD+FIenmg/fDLGAAczEjIDOXQtCMQTzF9ybo 7w1sHD0fFGLbnaNIltor53W7FobZyGQMWIQrCoaPSTufcUKqk2xw5FOiXtxn9wrOvSL4 bD7w== X-Forwarded-Encrypted: i=1; AJvYcCXuwP6Lg2uCJxqzQhoRldfCSdE2dspE6/tsaCfiMZ9UMPqO1nPmz0U6ain6k814/yYGuBbyFovtJrmXOU8=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5a7Rsdn8wKo4JY1h9Ai3CiRAjAHVbs43v/evk/l4DPVvPhfT2 XE5UZUXg4nz39LjXT1I66BV2oq3p8KxYm6w/l9/dzglBP6A3Q9Ge6TML X-Gm-Gg: AeBDietbGUbBPf38F6B18vBsWR5R1BBQ7FQ91vI9YvPMx+Rd8UMzkN+ekjuS2CNqm60 OtmC2oADlowHsK40UwkDnZA9RtT94TbrDLiJ6A6fL41jvQ9GpR/+SVh3QlPWhXNJC2uYa8H5l6B cbrkXKWwivQ+uLvCI7BZ8JpXT6+udE/+GfAPoeNdJ0ij3CIZcgkSeCNMghr9Bwlwqz1gM7tY68u /U2VLt95hZZfboYCs65vKOEgQcN+8U0RDD0hnGl2+gZHN+vIAbDR/JWB+auvQou2vwMvyvnKoB8 3HzFxiaLmbtIlKhJhH1UmABjFSqTkc7kXo/jrh1DfukonrwEQjZ+GNwvDoUXS5qkU0OwqZHJkDG NYzYypqbSuhm+V3I8ddyNOu0FohmWCrjQqR++zTuoTEr66Z84YNPnxopLxZX7duQTCd6q4oBhCF sDCbr2oLPNwmp9dsFhAmPD4UjX7K4k3V6K8hOnDnqjYiPAFg== X-Received: by 2002:a17:903:2acb:b0:2b0:6ce3:8f7 with SMTP id d9443c01a7336-2b269cee743mr73394715ad.43.1775128422073; Thu, 02 Apr 2026 04:13:42 -0700 (PDT) Received: from localhost.localdomain ([47.236.127.140]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b27497c0f3sm27090325ad.41.2026.04.02.04.13.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 04:13:41 -0700 (PDT) From: Qi Tang To: Andrew Morton Cc: Cyrill Gorcunov , David Hildenbrand , Lorenzo Stoakes , Oleg Nesterov , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Qi Tang Subject: [PATCH] prctl: require checkpoint_restore_ns_capable for PR_SET_MM_MAP Date: Thu, 2 Apr 2026 19:13:32 +0800 Message-ID: <20260402111332.55957-1-tpluszz77@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit prctl_set_mm_map() allows modifying all mm_struct boundaries and the saved auxv vector. The individual field path (PR_SET_MM_START_CODE etc.) correctly requires CAP_SYS_RESOURCE, but the PR_SET_MM_MAP path dispatches before this check and has no capability requirement of its own when exe_fd is -1. This means any unprivileged user on a CONFIG_CHECKPOINT_RESTORE kernel (nearly all distros) can rewrite mm boundaries including start_brk, brk, arg_start/end, env_start/end and saved_auxv. Consequences include: - SELinux PROCESS__EXECHEAP bypass via start_brk manipulation - procfs info disclosure by pointing arg/env ranges at other memory - auxv poisoning (AT_SYSINFO_EHDR, AT_BASE, AT_ENTRY) The original commit f606b77f1a9e ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation") states "we require the caller to be at least user-namespace root user", but this was never enforced in the code. Add a checkpoint_restore_ns_capable() check at the top of prctl_set_mm_map(), after the PR_SET_MM_MAP_SIZE early return. This requires CAP_CHECKPOINT_RESTORE or CAP_SYS_ADMIN in the caller's user namespace, matching the stated design intent and the existing check for exe_fd changes. Fixes: f606b77f1a9e ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation") Cc: stable@vger.kernel.org Cc: Cyrill Gorcunov Signed-off-by: Qi Tang --- kernel/sys.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/sys.c b/kernel/sys.c index c86eba9aa7e9..2b8c57f23a35 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2071,6 +2071,9 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data return put_user((unsigned int)sizeof(prctl_map), (unsigned int __user *)addr); + if (!checkpoint_restore_ns_capable(current_user_ns())) + return -EPERM; + if (data_size != sizeof(prctl_map)) return -EINVAL; -- 2.43.0