iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Jann Horn 0d9529e1b8 aio: mark AIO pseudo-fs noexec 
commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a upstream.

This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set.  Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.

I have tested the patch on my machine.

To test the behavior, compile and run this:

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sys/personality.h>
    #include <linux/aio_abi.h>
    #include <err.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/syscall.h>

    int main(void) {
        personality(READ_IMPLIES_EXEC);
        aio_context_t ctx = 0;
        if (syscall(__NR_io_setup, 1, &ctx))
            err(1, "io_setup");

        char cmd[1000];
        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
            (int)getpid());
        system(cmd);
        return 0;
    }

In the output, "rw-s" is good, "rwxs" is bad.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-10-07 15:23:47 +02:00
..
9p
9p: use file_dentry()
2016-08-10 11:49:27 +02:00
adfs
fs/adfs: remove unneeded cast
2015-06-30 19:44:57 -07:00
affs
affs: fix remount failure when there are no options changed
2016-06-07 18:14:32 -07:00
afs
autofs4
autofs: use dentry flags to block walks during expire
2016-09-30 10:18:37 +02:00
befs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
bfs
btrfs
btrfs: ensure that file descriptor used with subvol ioctls is a dir
2016-09-30 10:18:38 +02:00
cachefiles
FS-Cache: Add missing initialization of ret in cachefiles_write_page()
2015-11-16 20:38:43 -05:00
ceph
ceph: fix race during filling readdir cache
2016-10-07 15:23:42 +02:00
cifs
CIFS: Fix a possible invalid memory access in smb2_query_symlink()
2016-08-20 18:09:20 +02:00
coda
fs/coda: fix readlink buffer overflow
2015-09-10 13:29:01 -07:00
configfs
configfs: allow dynamic group creation
2015-11-20 16:17:32 -08:00
cramfs
debugfs
debugfs: Make automount point inodes permanently empty
2016-05-04 14:48:41 -07:00
devpts
devpts: clean up interface to pty drivers
2016-08-16 09:30:49 +02:00
dlm
net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA
2015-12-01 15:45:05 -05:00
ecryptfs
ecryptfs: fix handling of directory opening
2016-09-15 08:27:47 +02:00
efivarfs
efi: Make efivarfs entries immutable by default
2016-03-03 15:07:09 -08:00
efs
fs/efs: femove unneeded cast
2015-06-25 17:00:42 -07:00
exofs
osd fs: __r4w_get_page rely on PageUptodate for uptodate
2015-12-12 10:15:34 -08:00
exportfs
ext2
ext2, ext4: warn when mounting with dax enabled
2015-11-16 09:43:54 -08:00
ext4
fscrypto: require write access to mount to set encryption policy
2016-09-24 10:07:35 +02:00
f2fs
fscrypto: add authorization check for setting encryption policy
2016-09-24 10:07:34 +02:00
fat
fat: fix fake_offset handling on error path
2015-11-20 16:17:32 -08:00
freevxfs
freevxfs: Grammar s/an negative/a negative/
2015-08-07 13:59:24 +02:00
fscache
FS-Cache: Handle a write to the page immediately beyond the EOF marker
2015-11-11 02:11:02 -05:00
fuse
fuse: direct-io: don't dirty ITER_BVEC pages
2016-09-24 10:07:41 +02:00
gfs2
Merge branch 'for-linus-3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-11-13 18:02:30 -08:00
hfs
hfs: fix B-tree corruption after insertion at position 0
2015-09-10 13:29:01 -07:00
hfsplus
xattr handlers: Pass handler to operations instead of flags
2015-11-13 20:34:32 -05:00
hostfs
hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
2016-09-30 10:18:39 +02:00
hpfs
hpfs: implement the show_options method
2016-06-01 12:15:54 -07:00
hugetlbfs
fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
2016-02-25 12:01:22 -08:00
isofs
get_rock_ridge_filename(): handle malformed NM entries
2016-05-18 17:06:54 -07:00
jbd2
jbd2: make journal y2038 safe
2016-08-20 18:09:20 +02:00
jffs2
jffs2: reduce the breakage on recovery from halfway failed rename()
2016-03-16 08:42:58 -07:00
jfs
fs/jfs: remove unnecessary new_valid_dev() checks
2015-11-09 15:11:24 -08:00
kernfs
kernfs: don't depend on d_find_any_alias() when generating notifications
2016-09-24 10:07:36 +02:00
lockd
Mainly smaller bugfixes and cleanup. We're still finding some bugs from
2015-11-11 20:11:28 -08:00
logfs
mm, fs: introduce mapping_gfp_constraint()
2015-11-06 17:50:42 -08:00
minix
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-07-04 19:36:06 -07:00
ncpfs
ncpfs: fix a braino in OOM handling in ncp_fill_cache()
2016-03-16 08:42:59 -07:00
nfs
pNFS/flexfiles: Fix layoutcommit after a commit to DS
2016-10-07 15:23:45 +02:00
nfs_common
lockd: NLM grace period shouldn't block NFSv4 opens
2015-08-13 10:22:06 -04:00
nfsd
nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock
2016-09-24 10:07:36 +02:00
nilfs2
fs/nilfs2: fix potential underflow in call to crc32_le
2016-08-10 11:49:25 +02:00
nls
notify
fanotify: fix list corruption in fanotify_get_response()
2016-09-30 10:18:37 +02:00
ntfs
mm, fs: introduce mapping_gfp_constraint()
2015-11-06 17:50:42 -08:00
ocfs2
ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
2016-09-30 10:18:34 +02:00
omfs
omfs: fix potential integer overflow in allocator
2015-05-28 18:25:19 -07:00
openpromfs
overlayfs
ovl: fix workdir creation
2016-09-15 08:27:52 +02:00
proc
mm: introduce get_task_exe_file
2016-09-24 10:07:36 +02:00
pstore
pstore: drop file opened reference count
2016-10-07 15:23:44 +02:00
qnx4
qnx6
pagemap.h: move dir_pages() over there
2015-06-23 18:02:00 -04:00
quota
quota: Fix possible GPF due to uninitialised pointers
2016-04-12 09:08:56 -07:00
ramfs
mm, fs: obey gfp_mapping for add_to_page_cache()
2015-10-16 11:42:28 -07:00
reiserfs
reiserfs: fix "new_insert_key may be used uninitialized ..."
2016-09-30 10:18:34 +02:00
romfs
squashfs
squashfs: xattr simplifications
2015-11-13 20:34:33 -05:00
sysfs
sysfs: correctly handle read offset on PREALLOC attrs
2016-09-07 08:32:46 +02:00
sysv
fix sysvfs symlinks
2015-11-23 21:11:08 -05:00
tracefs
tracefs: Fix refcount imbalance in start_creating()
2015-11-04 22:13:45 -05:00
ubifs
ubifs: Fix assertion in layout_in_gaps()
2016-09-15 08:27:53 +02:00
udf
udf: Check output buffer length when converting name to CS0
2016-02-25 12:01:18 -08:00
ufs
fix ufs write vs readpage race when writing into a hole
2015-09-09 10:43:12 -07:00
xfs
xfs: prevent dropping ioend completions during buftarg wait
2016-09-30 10:18:37 +02:00
aio.c
aio: mark AIO pseudo-fs noexec
2016-10-07 15:23:47 +02:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
libnvdimm for 4.4:
2015-11-10 12:07:22 -08:00
binfmt_elf.c
Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2015-11-11 09:45:24 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c
block: detach bdev inode from its wb in __blkdev_put()
2015-12-04 11:02:17 -07:00
buffer.c
vfs: remove unused wrapper block_page_mkwrite()
2015-11-11 02:19:33 -05:00
char_dev.c
fs/char_dev.c: fix incorrect documentation for unregister_chrdev_region
2015-08-05 13:49:35 -07:00
compat_binfmt_elf.c
compat_ioctl.c
i2c-dev: Fix typo in ioctl name reference
2015-10-23 23:26:43 +02:00
compat.c
coredump.c
fs/coredump: prevent fsuid=0 dumps into user-controlled directories
2016-04-12 09:08:58 -07:00
dax.c
dax: disable pmd mappings
2015-11-16 23:54:45 -08:00
dcache.c
fs/dcache.c: avoid soft-lockup in dput()
2016-08-16 09:30:50 +02:00
dcookies.c
direct-io.c
block: fix use-after-free in dio_bio_complete
2016-03-03 15:07:28 -08:00
drop_caches.c
inode: convert inode_sb_list_lock to per-sb
2015-08-17 18:39:46 -04:00
eventfd.c
eventpoll.c
exec.c
vfs: Commit to never having exectuables on proc and sysfs.
2015-07-10 10:39:25 -05:00
fcntl.c
fhandle.c
fs/coredump: prevent fsuid=0 dumps into user-controlled directories
2016-04-12 09:08:58 -07:00
file_table.c
fs, file table: reinit files_stat.max_files after deferred memory initialisation
2015-08-07 04:39:40 +03:00
file.c
vfs: clear remainder of 'full_fds_bits' in dup_fd()
2015-11-05 23:05:32 -08:00
filesystems.c
fs_pin.c
fs_struct.c
fs-writeback.c
writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode
2016-04-12 09:09:04 -07:00
inode.c
vfs: fix deadlock in file_remove_privs() on overlayfs
2016-08-10 11:49:30 +02:00
internal.h
inode: rename i_wb_list to i_io_list
2015-08-17 23:38:10 -04:00
ioctl.c
Kconfig
dax: disable pmd mappings
2015-11-16 23:54:45 -08:00
Kconfig.binfmt
libfs.c
fs: Set the size of empty dirs to 0.
2015-08-12 15:28:45 -05:00
locks.c
locks: use file_inode()
2016-08-10 11:49:27 +02:00
Makefile
ext4: promote ext4 over ext2 in the default probe order
2015-10-15 10:33:21 -04:00
mbcache.c
mount.h
fs: use seq_open_private() for proc_mounts
2015-06-30 19:44:56 -07:00
mpage.c
mm, fs: introduce mapping_gfp_constraint()
2015-11-06 17:50:42 -08:00
namei.c
fs: Check for invalid i_uid in may_follow_link()
2016-09-15 08:27:49 +02:00
namespace.c
namespace: update event counter when umounting a deleted dentry
2016-08-10 11:49:27 +02:00
no-block.c
nsfs.c
fs/seq_file: convert int seq_vprint/seq_printf/etc... returns to void
2015-09-11 15:21:34 -07:00
open.c
vfs: add vfs_select_inode() helper
2016-05-18 17:06:48 -07:00
pipe.c
pipe: limit the per-user amount of pages allocated in pipes
2016-06-07 18:14:35 -07:00
pnode.c
propogate_mnt: Handle the first propogated copy being a slave
2016-05-11 11:21:19 +02:00
pnode.h
mnt: Clarify and correct the disconnect logic in umount_tree
2015-07-22 20:33:27 -05:00
posix_acl.c
posix_acl: Add set_posix_acl
2016-07-27 09:47:30 -07:00
proc_namespace.c
vfs: show_vfsstat: do not ignore errors from show_devname method
2016-04-12 09:08:55 -07:00
read_write.c
readdir.c
select.c
seq_file.c
fs/seq_file: fix out-of-bounds read
2016-09-07 08:32:43 +02:00
signalfd.c
signalfd: fix information leak in signalfd_copyinfo
2015-08-07 04:39:40 +03:00
splice.c
splice: handle zero nr_pages in splice_to_pipe()
2016-04-12 09:08:55 -07:00
stack.c
stat.c
fs/stat.c: remove unnecessary new_valid_dev() check
2015-11-09 15:11:24 -08:00
statfs.c
super.c
writeback: flush inode cgroup wb switches instead of pinning super_block
2016-03-09 15:34:52 -08:00
sync.c
fs/sync.c: make sync_file_range(2) use WB_SYNC_NONE writeback
2015-11-06 17:50:42 -08:00
timerfd.c
timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
2016-02-25 12:01:25 -08:00
userfaultfd.c
userfaultfd: don't block on the last VM updates at exit time
2016-03-16 08:43:01 -07:00
utimes.c
xattr.c
9p: xattr simplifications
2015-11-13 20:34:33 -05:00