Re: [PATCH] fs: clear file set[ug]id when writing via mmap
From: Andrew Morton
Date: Thu Nov 19 2015 - 19:41:20 EST
On Thu, 19 Nov 2015 16:10:43 -0800 Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> Normally, when a user can modify a file that has setuid or setgid bits,
> those bits are cleared when they are not the file owner or a member of the
> group. This is enforced when using write() directly but not when writing
> to a shared mmap on the file. This could allow the file writer to gain
> privileges by changing the binary without losing the setuid/setgid bits.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> ---
> mm/memory.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/memory.c b/mm/memory.c
> index deb679c31f2a..4c970a4e0057 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm,
>
> if (!page_mkwrite)
> file_update_time(vma->vm_file);
> + file_remove_privs(vma->vm_file);
> }
>
> return VM_FAULT_WRITE;
file_remove_privs() is depressingly heavyweight. You'd think there was
some more lightweight way of caching the fact that we've already done
this.
Dumb question: can we run file_remove_privs() once, when the file is
opened writably, rather than for each and every write into each page?
Also, the proposed patch drops the file_remove_privs() return value on
the floor and we just go ahead with the modification. How come?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/