Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fs: exec: apply CLOEXEC before changing dumpable task flags

If you have a process that has set itself to be non-dumpable, and it
then undergoes exec(2), any CLOEXEC file descriptors it has open are
"exposed" during a race window between the dumpable flags of the process
being reset for exec(2) and CLOEXEC being applied to the file
descriptors. This can be exploited by a process by attempting to access
/proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE.

The race in question is after set_dumpable has been (for get_link,
though the trace is basically the same for readlink):

[vfs]
-> proc_pid_link_inode_operations.get_link
   -> proc_pid_get_link
      -> proc_fd_access_allowed
         -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

Which will return 0, during the race window and CLOEXEC file descriptors
will still be open during this window because do_close_on_exec has not
been called yet. As a result, the ordering of these calls should be
reversed to avoid this race window.

This is of particular concern to container runtimes, where joining a
PID namespace with file descriptors referring to the host filesystem
can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
against access of CLOEXEC file descriptors -- file descriptors which may
reference filesystem objects the container shouldn't have access to).

Cc: dev@opencontainers.org
Cc: <stable@vger.kernel.org> # v3.2+
Reported-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Aleksa Sarai 8 years ago
parent
e522751d60
commit
613cc2b6f2
1 changed files with 8 additions and 2 deletions
Split View Show Diff Stats
  1. 8 2
      fs/exec.c

+ 8 - 2
fs/exec.c
View File 

@@ -19,7 +19,7 @@
 
  * current->executable is only used by the procfs.  This allows a dispatch
 
  * table to check for several different types  of binary formats.  We keep
 
  * trying until we recognize the file or we run out of supported binary
 
- * formats. 
+ * formats.
 
  */
 
 
 #include <linux/slab.h>
 
@@ -1268,6 +1268,13 @@ int flush_old_exec(struct linux_binprm * bprm)
 
 	flush_thread();
 
 	current->personality &= ~bprm->per_clear;
 
 
+	/*
 
+	 * We have to apply CLOEXEC before we change whether the process is
 
+	 * dumpable (in setup_new_exec) to avoid a race with a process in userspace
 
+	 * trying to access the should-be-closed file descriptors of a process
 
+	 * undergoing exec(2).
 
+	 */
 
+	do_close_on_exec(current->files);
 
 	return 0;
 
 
 out:
 
@@ -1330,7 +1337,6 @@ void setup_new_exec(struct linux_binprm * bprm)
 
 	   group */
 
 	current->self_exec_id++;
 
 	flush_signal_handlers(current, 0);
 
-	do_close_on_exec(current->files);
 
 }
 
 EXPORT_SYMBOL(setup_new_exec);