[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14140

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14140

Kleber Souza
Only Trusty and Zesty are affected by CVE-2017-14140.

The backport for Zesty was needed to adjust for context. Trusty
doesn't have caaee6234d05a ("ptrace: use fsuid, fsgid, effective creds
for fs access checks") which adds the definition and the checks for
PTRACE_MODE_READ_REALCREDS, whoever checking for PTRACE_MODE_READ should
be enough.

Linus Torvalds (1):
  Sanitize 'move_pages()' permission checks

 mm/migrate.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][PATCH 1/1] Sanitize 'move_pages()' permission checks

Kleber Souza
From: Linus Torvalds <[hidden email]>

The 'move_paghes()' system call was introduced long long ago with the
same permission checks as for sending a signal (except using
CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability).

That turns out to not be a great choice - while the system call really
only moves physical page allocations around (and you need other
capabilities to do a lot of it), you can check the return value to map
out some the virtual address choices and defeat ASLR of a binary that
still shares your uid.

So change the access checks to the more common 'ptrace_may_access()'
model instead.

This tightens the access checks for the uid, and also effectively
changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that
anybody really _uses_ this legacy system call any more (we hav ebetter
NUMA placement models these days), so I expect nobody to notice.

Famous last words.

Reported-by: Otto Ebeling <[hidden email]>
Acked-by: Eric W. Biederman <[hidden email]>
Cc: Willy Tarreau <[hidden email]>
Cc: [hidden email]
Signed-off-by: Linus Torvalds <[hidden email]>

CVE-2017-14140
(backported from commit 197e7e521384a23b9e585178f3f11c9fa08274b9)
[klebers: Trusty kernel doesn't have caaee6234d05a, which introduced
 the check for PTRACE_MODE_READ_REALCREDS. However, checking for
 PTRACE_MODE_READ should be enough, as discussed at
 https://bugzilla.novell.com/show_bug.cgi?id=1057179#c5]
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 mm/migrate.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/mm/migrate.c b/mm/migrate.c
index 70eb6bb9a8e6..21f477b133c4 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -38,6 +38,7 @@
 #include <linux/gfp.h>
 #include <linux/balloon_compaction.h>
 #include <linux/mmu_notifier.h>
+#include <linux/ptrace.h>
 
 #include <asm/tlbflush.h>
 
@@ -1441,7 +1442,6 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
  const int __user *, nodes,
  int __user *, status, int, flags)
 {
- const struct cred *cred = current_cred(), *tcred;
  struct task_struct *task;
  struct mm_struct *mm;
  int err;
@@ -1465,14 +1465,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
 
  /*
  * Check if this process has the right to modify the specified
- * process. The right exists if the process has administrative
- * capabilities, superuser privileges or the same
- * userid as the target process.
+ * process. Use the regular "ptrace_may_access()" checks.
  */
- tcred = __task_cred(task);
- if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
-    !uid_eq(cred->uid,  tcred->suid) && !uid_eq(cred->uid,  tcred->uid) &&
-    !capable(CAP_SYS_NICE)) {
+ if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
  rcu_read_unlock();
  err = -EPERM;
  goto out;
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Zesty][PATCH 1/1] Sanitize 'move_pages()' permission checks

Kleber Souza
In reply to this post by Kleber Souza
From: Linus Torvalds <[hidden email]>

The 'move_paghes()' system call was introduced long long ago with the
same permission checks as for sending a signal (except using
CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability).

That turns out to not be a great choice - while the system call really
only moves physical page allocations around (and you need other
capabilities to do a lot of it), you can check the return value to map
out some the virtual address choices and defeat ASLR of a binary that
still shares your uid.

So change the access checks to the more common 'ptrace_may_access()'
model instead.

This tightens the access checks for the uid, and also effectively
changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that
anybody really _uses_ this legacy system call any more (we hav ebetter
NUMA placement models these days), so I expect nobody to notice.

Famous last words.

Reported-by: Otto Ebeling <[hidden email]>
Acked-by: Eric W. Biederman <[hidden email]>
Cc: Willy Tarreau <[hidden email]>
Cc: [hidden email]
Signed-off-by: Linus Torvalds <[hidden email]>

CVE-2017-14140
(backported from commit 197e7e521384a23b9e585178f3f11c9fa08274b9)
[klebers: adjusted for context]
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 mm/migrate.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/mm/migrate.c b/mm/migrate.c
index c509a92639f6..01cbfd73f061 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -40,6 +40,7 @@
 #include <linux/mmu_notifier.h>
 #include <linux/page_idle.h>
 #include <linux/page_owner.h>
+#include <linux/ptrace.h>
 
 #include <asm/tlbflush.h>
 
@@ -1665,7 +1666,6 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
  const int __user *, nodes,
  int __user *, status, int, flags)
 {
- const struct cred *cred = current_cred(), *tcred;
  struct task_struct *task;
  struct mm_struct *mm;
  int err;
@@ -1689,14 +1689,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
 
  /*
  * Check if this process has the right to modify the specified
- * process. The right exists if the process has administrative
- * capabilities, superuser privileges or the same
- * userid as the target process.
+ * process. Use the regular "ptrace_may_access()" checks.
  */
- tcred = __task_cred(task);
- if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
-    !uid_eq(cred->uid,  tcred->suid) && !uid_eq(cred->uid,  tcred->uid) &&
-    !capable(CAP_SYS_NICE)) {
+ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
  rcu_read_unlock();
  err = -EPERM;
  goto out;
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14140

Stefan Bader-2
In reply to this post by Kleber Souza
On 07.12.2017 11:56, Kleber Sacilotto de Souza wrote:

> Only Trusty and Zesty are affected by CVE-2017-14140.
>
> The backport for Zesty was needed to adjust for context. Trusty
> doesn't have caaee6234d05a ("ptrace: use fsuid, fsgid, effective creds
> for fs access checks") which adds the definition and the checks for
> PTRACE_MODE_READ_REALCREDS, whoever checking for PTRACE_MODE_READ should
> be enough.
>
> Linus Torvalds (1):
>   Sanitize 'move_pages()' permission checks
>
>  mm/migrate.c | 11 +++--------
>  1 file changed, 3 insertions(+), 8 deletions(-)
>
Acked-by: Stefan Bader <[hidden email]>



--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14140

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
On Thu, Dec 07, 2017 at 12:56:45PM +0100, Kleber Sacilotto de Souza wrote:
> Only Trusty and Zesty are affected by CVE-2017-14140.
>
> The backport for Zesty was needed to adjust for context. Trusty
> doesn't have caaee6234d05a ("ptrace: use fsuid, fsgid, effective creds
> for fs access checks") which adds the definition and the checks for
> PTRACE_MODE_READ_REALCREDS, whoever checking for PTRACE_MODE_READ should
> be enough.
>

When first looking at caaee6234d05a, I thought why not pick it up. But
looking at this specific issue of move_pages, it seems to warrant a fix
of its own. If we ever pick up caaee6234d05a for trusty, we'd better
remember to fix this up.

Acked-by: Thadeu Lima de Souza Cascardo <[hidden email]>

> Linus Torvalds (1):
>   Sanitize 'move_pages()' permission checks
>
>  mm/migrate.c | 11 +++--------
>  1 file changed, 3 insertions(+), 8 deletions(-)
>
> --
> 2.14.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU,Trusty,1/1] Sanitize 'move_pages()' permission checks

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
Applied to trusty master-next branch.

Thanks.
Cascardo.

Applied-to: trusty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU,Zesty,1/1] Sanitize 'move_pages()' permission checks

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
Applied to zesty master-next branch.

Thanks.
Cascardo.

Applied-to: zesty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team