From patchwork Thu Dec 7 11:56:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 845535 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3ysv9B0r7Vz9sP9; Thu, 7 Dec 2017 22:57:02 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eMunR-0008By-5G; Thu, 07 Dec 2017 11:56:57 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eMunP-0008BX-C5 for kernel-team@lists.ubuntu.com; Thu, 07 Dec 2017 11:56:55 +0000 Received: from mail-wr0-f200.google.com ([209.85.128.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eMunP-00029f-4j for kernel-team@lists.ubuntu.com; Thu, 07 Dec 2017 11:56:55 +0000 Received: by mail-wr0-f200.google.com with SMTP id w95so4002603wrc.20 for ; Thu, 07 Dec 2017 03:56:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=/9+6pqy5EZKxdquSad5k9XcKgUcpkxMpPSXHCXdXZoE=; b=kDtoq7ds/gmxivLPF8SWerbnU33E86rBlejSaZBzo7USjqjjlMX8aSe1TUPS6S7DLS JKdVKpeEzBXLOR2lBAxlCJyKSdJwPjfzvIymu/mtAYQJuOQ3q0Tsmw0B99IB2m83jxwe gIzgKSc2Wkh/ai5GM1dCQbo3lcOu6YdI0ziBiSwOmUwR4OfUAhAC/hLmxIM/D+hT1u92 P15BOmJulYoJEsAGV7GRYGusVW354k1/7mCUTzEpDjv2MCGoDqgmPjf0oLIUVCds8Q3t I2PJ/MgJbc2s+8Bke49ZUbELjLFTiynfIVyiF+F6iC7+00zMLgSjXeQcySi76HkMOLx/ nLMw== X-Gm-Message-State: AJaThX5hhO4z4mMLPUwHhtjN6vOzS+Dzt0LXchmeYAELZFVg0WOQ3ED1 sw+6C2NWI7c9Mw1teDUviWZLTa9J1gifHVWi7Rg/UmJrSlzEhfGMFDSU7u9Hup3klCLrPbMppCG jKgbx8+BvCmx9/dLEU3IcVyRo9QKlsdTtrimc5N8gdQ== X-Received: by 10.223.138.246 with SMTP id z51mr23423775wrz.152.1512647814477; Thu, 07 Dec 2017 03:56:54 -0800 (PST) X-Google-Smtp-Source: AGs4zMbRO+FLL866y6M00Ii7JIa15xDwfAnqhonEG1S2ycwGeTpJfbNdvbt6gVMfMgBeqi5XyUugzA== X-Received: by 10.223.138.246 with SMTP id z51mr23423767wrz.152.1512647814215; Thu, 07 Dec 2017 03:56:54 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:b972:f7ea:7fbe:5583]) by smtp.gmail.com with ESMTPSA id j132sm257356wmd.2.2017.12.07.03.56.53 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Dec 2017 03:56:53 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Zesty][PATCH 1/1] Sanitize 'move_pages()' permission checks Date: Thu, 7 Dec 2017 12:56:47 +0100 Message-Id: <20171207115647.29098-3-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171207115647.29098-1-kleber.souza@canonical.com> References: <20171207115647.29098-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Linus Torvalds The 'move_paghes()' system call was introduced long long ago with the same permission checks as for sending a signal (except using CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability). That turns out to not be a great choice - while the system call really only moves physical page allocations around (and you need other capabilities to do a lot of it), you can check the return value to map out some the virtual address choices and defeat ASLR of a binary that still shares your uid. So change the access checks to the more common 'ptrace_may_access()' model instead. This tightens the access checks for the uid, and also effectively changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that anybody really _uses_ this legacy system call any more (we hav ebetter NUMA placement models these days), so I expect nobody to notice. Famous last words. Reported-by: Otto Ebeling Acked-by: Eric W. Biederman Cc: Willy Tarreau Cc: stable@kernel.org Signed-off-by: Linus Torvalds CVE-2017-14140 (backported from commit 197e7e521384a23b9e585178f3f11c9fa08274b9) [klebers: adjusted for context] Signed-off-by: Kleber Sacilotto de Souza --- mm/migrate.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/mm/migrate.c b/mm/migrate.c index c509a92639f6..01cbfd73f061 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -40,6 +40,7 @@ #include #include #include +#include #include @@ -1665,7 +1666,6 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, const int __user *, nodes, int __user *, status, int, flags) { - const struct cred *cred = current_cred(), *tcred; struct task_struct *task; struct mm_struct *mm; int err; @@ -1689,14 +1689,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages, /* * Check if this process has the right to modify the specified - * process. The right exists if the process has administrative - * capabilities, superuser privileges or the same - * userid as the target process. + * process. Use the regular "ptrace_may_access()" checks. */ - tcred = __task_cred(task); - if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) && - !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) && - !capable(CAP_SYS_NICE)) { + if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) { rcu_read_unlock(); err = -EPERM; goto out;