On Wed, 2 Dec 2015 16:03:42 -0800 Kees Cook <keesc...@chromium.org> wrote:
> Normally, when a user can modify a file that has setuid or setgid bits,
> those bits are cleared when they are not the file owner or a member
> of the group. This is enforced when using write and truncate but not
> when writing to a shared mmap on the file. This could allow the file
> writer to gain privileges by changing a binary without losing the
> setuid/setgid/caps bits.
>
> Changing the bits requires holding inode->i_mutex, so it cannot be done
> during the page fault (due to mmap_sem being held during the fault).
> Instead, clear the bits if PROT_WRITE is being used at mmap time.
>
> ...
>
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1340,6 +1340,17 @@ unsigned long do_mmap(struct file *file, unsigned long
> addr,
> if (locks_verify_locked(file))
> return -EAGAIN;
>
> + /*
> + * If we must remove privs, we do it here since
> + * doing it during page COW is expensive and
> + * cannot hold inode->i_mutex.
> + */
> + if (prot & PROT_WRITE && !IS_NOSEC(inode)) {
> + mutex_lock(&inode->i_mutex);
> + file_remove_privs(file);
> + mutex_unlock(&inode->i_mutex);
> + }
> +
Still ignoring the file_remove_privs() return value. If this is
deliberate then a description of the reasons should be included?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
