On Wed, Dec 2, 2015 at 4:18 PM, Andrew Morton <[email protected]> wrote: > On Wed, 2 Dec 2015 16:03:42 -0800 Kees Cook <[email protected]> wrote: > >> Normally, when a user can modify a file that has setuid or setgid bits, >> those bits are cleared when they are not the file owner or a member >> of the group. This is enforced when using write and truncate but not >> when writing to a shared mmap on the file. This could allow the file >> writer to gain privileges by changing a binary without losing the >> setuid/setgid/caps bits. >> >> Changing the bits requires holding inode->i_mutex, so it cannot be done >> during the page fault (due to mmap_sem being held during the fault). >> Instead, clear the bits if PROT_WRITE is being used at mmap time. >> >> ... >> >> --- a/mm/mmap.c >> +++ b/mm/mmap.c >> @@ -1340,6 +1340,17 @@ unsigned long do_mmap(struct file *file, unsigned >> long addr, >> if (locks_verify_locked(file)) >> return -EAGAIN; >> >> + /* >> + * If we must remove privs, we do it here since >> + * doing it during page COW is expensive and >> + * cannot hold inode->i_mutex. >> + */ >> + if (prot & PROT_WRITE && !IS_NOSEC(inode)) { >> + mutex_lock(&inode->i_mutex); >> + file_remove_privs(file); >> + mutex_unlock(&inode->i_mutex); >> + } >> + > > Still ignoring the file_remove_privs() return value. If this is > deliberate then a description of the reasons should be included?
Argh, yes, sorry. I will send a v3. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
