From: "David Hildenbrand (Arm)" <david@kernel.org>
To: Qi Tang <tpluszz77@gmail.com>, Andrew Morton <akpm@linux-foundation.org>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>,
Lorenzo Stoakes <ljs@kernel.org>, Oleg Nesterov <oleg@redhat.com>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] prctl: require checkpoint_restore_ns_capable for PR_SET_MM_MAP
Date: Thu, 2 Apr 2026 15:30:07 +0200 [thread overview]
Message-ID: <6444fb38-cc33-4402-9fed-11e9938d131f@kernel.org> (raw)
In-Reply-To: <20260402111332.55957-1-tpluszz77@gmail.com>
On 4/2/26 13:13, Qi Tang wrote:
> prctl_set_mm_map() allows modifying all mm_struct boundaries and
> the saved auxv vector. The individual field path (PR_SET_MM_START_CODE
> etc.) correctly requires CAP_SYS_RESOURCE, but the PR_SET_MM_MAP path
> dispatches before this check and has no capability requirement of its
> own when exe_fd is -1.
>
> This means any unprivileged user on a CONFIG_CHECKPOINT_RESTORE kernel
> (nearly all distros) can rewrite mm boundaries including start_brk, brk,
> arg_start/end, env_start/end and saved_auxv. Consequences include:
>
> - SELinux PROCESS__EXECHEAP bypass via start_brk manipulation
> - procfs info disclosure by pointing arg/env ranges at other memory
> - auxv poisoning (AT_SYSINFO_EHDR, AT_BASE, AT_ENTRY)
>
> The original commit f606b77f1a9e ("prctl: PR_SET_MM -- introduce
> PR_SET_MM_MAP operation") states "we require the caller to be at least
> user-namespace root user", but this was never enforced in the code.
That is taken out of contex, no?
"Still note that updating exe-file link now doesn't require sys-resource
capability anymore, ... Still we require the caller to be at least
user-namespace root user."
That check was added in prctl_set_mm_map()->validate_prctl_map() in the
original patch:
+ /*
+ * Finally, make sure the caller has the rights to
+ * change /proc/pid/exe link: only local root should
+ * be allowed to.
+ */
+ if (prctl_map->exe_fd != (u32)-1) {
+ struct user_namespace *ns = current_user_ns();
+ const struct cred *cred = current_cred();
+
+ if (!uid_eq(cred->uid, make_kuid(ns, 0)) ||
+ !gid_eq(cred->gid, make_kgid(ns, 0)))
+ goto out;
+ }
--
Cheers,
David
next prev parent reply other threads:[~2026-04-02 13:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 11:13 [PATCH] prctl: require checkpoint_restore_ns_capable for PR_SET_MM_MAP Qi Tang
2026-04-02 12:57 ` Oleg Nesterov
2026-04-02 13:07 ` Lorenzo Stoakes (Oracle)
2026-04-02 13:13 ` Oleg Nesterov
2026-04-02 13:41 ` David Hildenbrand (Arm)
2026-04-02 13:06 ` Lorenzo Stoakes (Oracle)
2026-04-02 13:55 ` David Hildenbrand (Arm)
2026-04-02 14:05 ` David Hildenbrand (Arm)
2026-04-02 14:21 ` Lorenzo Stoakes (Oracle)
2026-04-02 14:27 ` David Hildenbrand (Arm)
2026-04-02 17:46 ` Andrei Vagin
2026-04-02 13:30 ` David Hildenbrand (Arm) [this message]
2026-04-02 17:47 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6444fb38-cc33-4402-9fed-11e9938d131f@kernel.org \
--to=david@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ljs@kernel.org \
--cc=oleg@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tpluszz77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox