iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5a17f040fa
linux/drivers/base
History
Kees Cook 5a17f040fa cred: Do not default to init_cred in prepare_kernel_cred() 
A common exploit pattern for ROP attacks is to abuse prepare_kernel_cred()
in order to construct escalated privileges[1]. Instead of providing a
short-hand argument (NULL) to the "daemon" argument to indicate using
init_cred as the base cred, require that "daemon" is always set to
an actual task. Replace all existing callers that were passing NULL
with &init_task.

Future attacks will need to have sufficiently powerful read/write
primitives to have found an appropriately privileged task and written it
to the ROP stack as an argument to succeed, which is similarly difficult
to the prior effort needed to escalate privileges before struct cred
existed: locate the current cred and overwrite the uid member.

This has the added benefit of meaning that prepare_kernel_cred() can no
longer exceed the privileges of the init task, which may have changed from
the original init_cred (e.g. dropping capabilities from the bounding set).

[1] https://google.com/search?q=commit_creds(prepare_kernel_cred(0))

Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: David Howells <dhowells@redhat.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Steve French <sfrench@samba.org>
Cc: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: Shyam Prasad N <sprasad@microsoft.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: Anna Schumaker <anna@kernel.org>
Cc: Chuck Lever <chuck.lever@oracle.com>
Cc: Jeff Layton <jlayton@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: "Michal Koutný" <mkoutny@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: linux-nfs@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Acked-by: Russ Weight <russell.h.weight@intel.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Link: https://lore.kernel.org/r/20221026232943.never.775-kees@kernel.org
2022-11-01 10:04:52 -07:00
..
firmware_loader cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
power PM: domains: log failures to register always-on domains 2022-10-04 16:26:11 +02:00
regmap regmap: Updates for v6.1 2022-10-04 19:12:16 -07:00
test driver core: Simplify async probe test code by using ktime_ms_delta() 2021-12-29 10:57:22 +01:00
arch_numa.c mm: percpu: add generic pcpu_populate_pte() function 2022-01-20 08:52:52 +02:00
arch_topology.c RISC-V Patches for the 6.1 Merge Window, Part 1 2022-10-09 13:24:01 -07:00
attribute_container.c driver core: attribute_container: fix W=1 warnings 2021-05-14 13:37:10 +02:00
auxiliary.c Documentation/auxiliary_bus: Move the text into the code 2021-12-03 16:41:50 +01:00
base.h driver core: remove make_class_name declaration 2022-09-09 10:49:54 +02:00
bus.c driver: base: fix UAF when driver_attach failed 2022-05-19 19:28:42 +02:00
cacheinfo.c cacheinfo: Use atomic allocation for percpu cache attributes 2022-07-22 10:04:42 +02:00
class.c class: use IS_ERR_OR_NULL() helper in class_unregister() 2022-09-01 18:15:40 +02:00
component.c component: Add common helper for compare/release functions 2022-02-25 12:16:12 +01:00
container.c
core.c driver core: use IS_ERR_OR_NULL() helper in device_create_groups_vargs() 2022-09-24 15:00:38 +02:00
cpu.c x86/bugs: Report AMD retbleed vulnerability 2022-06-27 10:33:59 +02:00
dd.c Linux 6.0-rc5 2022-09-12 16:51:22 +02:00
devcoredump.c devcoredump : Serialize devcd_del work 2022-09-24 14:01:40 +02:00
devres.c devres: Slightly optimize alloc_dr() 2022-09-01 18:17:14 +02:00
devtmpfs.c devtmpfs: fix the dangling pointer of global devtmpfsd thread 2022-06-27 16:41:13 +02:00
driver.c driver core: fix driver_set_override() issue with empty strings 2022-09-05 13:01:34 +02:00
firmware.c
hypervisor.c
init.c init: Initialize noop_backing_dev_info early 2022-06-16 10:55:57 +02:00
isa.c bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
Kconfig devtmpfs: mount with noexec and nosuid 2021-12-30 13:54:42 +01:00
Makefile driver core: Add sysfs support for physical location of a device 2022-04-27 09:51:57 +02:00
map.c driver: base: Prefer unsigned int to bare use of unsigned 2021-07-21 17:30:09 +02:00
memory.c mm: kill is_memblock_offlined() 2022-09-11 20:26:04 -07:00
module.c
node.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
physical_location.c driver core: location: Add "back" as a possible output for panel 2022-05-19 19:28:32 +02:00
physical_location.h driver core: Add sysfs support for physical location of a device 2022-04-27 09:51:57 +02:00
pinctrl.c
platform-msi.c platform-msi: Export symbol platform_msi_create_irq_domain() 2022-09-28 14:21:05 +01:00
platform.c Driver core changes for 5.19-rc1 2022-06-03 11:48:47 -07:00
property.c device property: Add const qualifier to device_get_match_data() parameter 2022-09-24 15:03:25 +02:00
soc.c base: soc: Make soc_device_match() simpler and easier to read 2022-03-18 14:28:07 +01:00
swnode.c software node: fix wrong node passed to find nargs_prop 2021-12-22 18:26:18 +01:00
syscore.c
topology.c drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist 2022-07-15 17:36:33 +02:00
trace.c devres: Enable trace events 2021-06-15 17:14:36 +02:00
trace.h devres: Enable trace events 2021-06-15 17:14:36 +02:00
transport_class.c