From: Paulo Alcantara <pc@cjr.nz>
To: Kees Cook <keescook@chromium.org>,
"Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Kees Cook" <keescook@chromium.org>,
"David Howells" <dhowells@redhat.com>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Russ Weight" <russell.h.weight@intel.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Steve French" <sfrench@samba.org>,
"Ronnie Sahlberg" <lsahlber@redhat.com>,
"Shyam Prasad N" <sprasad@microsoft.com>,
"Tom Talpey" <tom@talpey.com>,
"Namjae Jeon" <linkinjeon@kernel.org>,
"Sergey Senozhatsky" <senozhatsky@chromium.org>,
"Trond Myklebust" <trond.myklebust@hammerspace.com>,
"Anna Schumaker" <anna@kernel.org>,
"Chuck Lever" <chuck.lever@oracle.com>,
"Jeff Layton" <jlayton@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Michal Koutný" <mkoutny@suse.com>,
"Peter Zijlstra" <peterz@infradead.org>,
linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] cred: Do not default to init_cred in prepare_kernel_cred()
Date: Thu, 27 Oct 2022 09:03:08 -0300 [thread overview]
Message-ID: <87bkpxh3sz.fsf@cjr.nz> (raw)
In-Reply-To: <20221026232943.never.775-kees@kernel.org>
Kees Cook <keescook@chromium.org> writes:
> A common exploit pattern for ROP attacks is to abuse prepare_kernel_cred()
> in order to construct escalated privileges[1]. Instead of providing a
> short-hand argument (NULL) to the "daemon" argument to indicate using
> init_cred as the base cred, require that "daemon" is always set to
> an actual task. Replace all existing callers that were passing NULL
> with &init_task.
>
> Future attacks will need to have sufficiently powerful read/write
> primitives to have found an appropriately privileged task and written it
> to the ROP stack as an argument to succeed, which is similarly difficult
> to the prior effort needed to escalate privileges before struct cred
> existed: locate the current cred and overwrite the uid member.
>
> This has the added benefit of meaning that prepare_kernel_cred() can no
> longer exceed the privileges of the init task, which may have changed from
> the original init_cred (e.g. dropping capabilities from the bounding set).
>
> [1] https://google.com/search?q=commit_creds(prepare_kernel_cred(0))
>
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: David Howells <dhowells@redhat.com>
> Cc: Luis Chamberlain <mcgrof@kernel.org>
> Cc: Russ Weight <russell.h.weight@intel.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: "Rafael J. Wysocki" <rafael@kernel.org>
> Cc: Steve French <sfrench@samba.org>
> Cc: Paulo Alcantara <pc@cjr.nz>
> Cc: Ronnie Sahlberg <lsahlber@redhat.com>
> Cc: Shyam Prasad N <sprasad@microsoft.com>
> Cc: Tom Talpey <tom@talpey.com>
> Cc: Namjae Jeon <linkinjeon@kernel.org>
> Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
> Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
> Cc: Anna Schumaker <anna@kernel.org>
> Cc: Chuck Lever <chuck.lever@oracle.com>
> Cc: Jeff Layton <jlayton@kernel.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: "Michal Koutný" <mkoutny@suse.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: linux-cifs@vger.kernel.org
> Cc: samba-technical@lists.samba.org
> Cc: linux-nfs@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> drivers/base/firmware_loader/main.c | 2 +-
> fs/cifs/cifs_spnego.c | 2 +-
> fs/cifs/cifsacl.c | 2 +-
> fs/ksmbd/smb_common.c | 2 +-
> fs/nfs/flexfilelayout/flexfilelayout.c | 4 ++--
> fs/nfs/nfs4idmap.c | 2 +-
> fs/nfsd/nfs4callback.c | 2 +-
> kernel/cred.c | 15 +++++++--------
> net/dns_resolver/dns_key.c | 2 +-
> 9 files changed, 16 insertions(+), 17 deletions(-)
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
next prev parent reply other threads:[~2022-10-27 12:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-26 23:31 [PATCH] cred: Do not default to init_cred in prepare_kernel_cred() Kees Cook
2022-10-27 6:49 ` Greg Kroah-Hartman
2022-10-27 12:03 ` Paulo Alcantara [this message]
2022-10-27 13:07 ` Sergey Senozhatsky
2022-10-27 17:03 ` Luis Chamberlain
2022-10-27 17:16 ` Russ Weight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkpxh3sz.fsf@cjr.nz \
--to=pc@cjr.nz \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jlayton@kernel.org \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=mcgrof@kernel.org \
--cc=mkoutny@suse.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=peterz@infradead.org \
--cc=rafael@kernel.org \
--cc=russell.h.weight@intel.com \
--cc=samba-technical@lists.samba.org \
--cc=senozhatsky@chromium.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).