From: Sergey Senozhatsky <senozhatsky@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
"David Howells" <dhowells@redhat.com>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Russ Weight" <russell.h.weight@intel.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Steve French" <sfrench@samba.org>, "Paulo Alcantara" <pc@cjr.nz>,
"Ronnie Sahlberg" <lsahlber@redhat.com>,
"Shyam Prasad N" <sprasad@microsoft.com>,
"Tom Talpey" <tom@talpey.com>,
"Namjae Jeon" <linkinjeon@kernel.org>,
"Sergey Senozhatsky" <senozhatsky@chromium.org>,
"Trond Myklebust" <trond.myklebust@hammerspace.com>,
"Anna Schumaker" <anna@kernel.org>,
"Chuck Lever" <chuck.lever@oracle.com>,
"Jeff Layton" <jlayton@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Michal Koutný" <mkoutny@suse.com>,
"Peter Zijlstra" <peterz@infradead.org>,
linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] cred: Do not default to init_cred in prepare_kernel_cred()
Date: Thu, 27 Oct 2022 22:07:15 +0900 [thread overview]
Message-ID: <Y1qCg+g9je72TneY@google.com> (raw)
In-Reply-To: <20221026232943.never.775-kees@kernel.org>
On (22/10/26 16:31), Kees Cook wrote:
> A common exploit pattern for ROP attacks is to abuse prepare_kernel_cred()
> in order to construct escalated privileges[1]. Instead of providing a
> short-hand argument (NULL) to the "daemon" argument to indicate using
> init_cred as the base cred, require that "daemon" is always set to
> an actual task. Replace all existing callers that were passing NULL
> with &init_task.
>
> Future attacks will need to have sufficiently powerful read/write
> primitives to have found an appropriately privileged task and written it
> to the ROP stack as an argument to succeed, which is similarly difficult
> to the prior effort needed to escalate privileges before struct cred
> existed: locate the current cred and overwrite the uid member.
>
> This has the added benefit of meaning that prepare_kernel_cred() can no
> longer exceed the privileges of the init task, which may have changed from
> the original init_cred (e.g. dropping capabilities from the bounding set).
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
next prev parent reply other threads:[~2022-10-27 13:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-26 23:31 [PATCH] cred: Do not default to init_cred in prepare_kernel_cred() Kees Cook
2022-10-27 6:49 ` Greg Kroah-Hartman
2022-10-27 12:03 ` Paulo Alcantara
2022-10-27 13:07 ` Sergey Senozhatsky [this message]
2022-10-27 17:03 ` Luis Chamberlain
2022-10-27 17:16 ` Russ Weight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1qCg+g9je72TneY@google.com \
--to=senozhatsky@chromium.org \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jlayton@kernel.org \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=mcgrof@kernel.org \
--cc=mkoutny@suse.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pc@cjr.nz \
--cc=peterz@infradead.org \
--cc=rafael@kernel.org \
--cc=russell.h.weight@intel.com \
--cc=samba-technical@lists.samba.org \
--cc=sfrench@samba.org \
--cc=sprasad@microsoft.com \
--cc=tom@talpey.com \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).