From nobody Wed Jul 1 06:47:09 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C4C0C433EF for ; Tue, 28 Dec 2021 17:10:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236662AbhL1RK4 (ORCPT ); Tue, 28 Dec 2021 12:10:56 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:36573 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236651AbhL1RKw (ORCPT ); Tue, 28 Dec 2021 12:10:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640711452; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fIBVy+hA8YnjW75VVgRUSX7sqW1UFeQMpluWbq0Iuzc=; b=KqPGIunXgOs3607TgH+vx7hicjGR2poY0M5294a54XE8v7FzYKYGQD6/uLK2sBX84rYwZW KcPnWBXfiUnmpMvjldm/jhmG2I64m4vA1tq0tbJF9itYF/9lrLnZPQL7UwacF2jOB+htrk hl65fLiANOqszyidQ5T6fJrAuT9OvvY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-407-iGJ0NmWiNw2qo6kE4eIvag-1; Tue, 28 Dec 2021 12:10:48 -0500 X-MC-Unique: iGJ0NmWiNw2qo6kE4eIvag-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E0C86102CB2A; Tue, 28 Dec 2021 17:10:45 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0ACBE77440; Tue, 28 Dec 2021 17:10:00 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Eric Biederman , Kees Cook , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Wander Lairson Costa , Laurent Vivier , YunQiang Su , Helge Deller , Andrew Morton , Jens Axboe , Alexey Gladkov , David Hildenbrand , Rolf Eike Beer , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC v2 1/4] exec: add a flag indicating if an exec file is a suid/sgid Date: Tue, 28 Dec 2021 14:09:05 -0300 Message-Id: <20211228170910.623156-2-wander@redhat.com> In-Reply-To: <20211228170910.623156-1-wander@redhat.com> References: <20211228170910.623156-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" We create an additional flag in the struct linux_bprm to indicate a suid/sgid binary. We will use this information in a later commit to set the task_struct flags accordingly. Signed-off-by: Wander Lairson Costa --- fs/exec.c | 2 ++ include/linux/binfmts.h | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index 537d92c41105..ec07b36fdbb4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1619,11 +1619,13 @@ static void bprm_fill_uid(struct linux_binprm *bprm= , struct file *file) if (mode & S_ISUID) { bprm->per_clear |=3D PER_CLEAR_ON_SETID; bprm->cred->euid =3D uid; + bprm->suid_bin =3D 1; } =20 if ((mode & (S_ISGID | S_IXGRP)) =3D=3D (S_ISGID | S_IXGRP)) { bprm->per_clear |=3D PER_CLEAR_ON_SETID; bprm->cred->egid =3D gid; + bprm->suid_bin =3D 1; } } =20 diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 049cf9421d83..c4b41b9711d2 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -41,7 +41,11 @@ struct linux_binprm { * Set when errors can no longer be returned to the * original userspace. */ - point_of_no_return:1; + point_of_no_return:1, + /* + * Is this a suid/sgid binary? + */ + suid_bin:1; #ifdef __alpha__ unsigned int taso:1; #endif --=20 2.27.0 From nobody Wed Jul 1 06:47:09 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 832C0C433EF for ; Tue, 28 Dec 2021 17:11:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236672AbhL1RLe (ORCPT ); Tue, 28 Dec 2021 12:11:34 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:60969 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236651AbhL1RLd (ORCPT ); Tue, 28 Dec 2021 12:11:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640711492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vnD9Ir6KafT49PHRnvs+2GzEgf09b29JgFdqlfV/kA0=; b=bSekmq1YJz6OYYkFduD8MiH4tQkC0tf7JX+Y+Y0xLffrTUtdboC5LVYsU78suUzOfKMqH5 FPzYMV6dOUF+CkHrEtbM3vqPsvlKXobiOR1X9OV14PpofmgaNHXYfBldkq/9Coh5G3wG+i 8KuUo/kyFGBpgMCgwmvRpK0tIoBgC1o= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-16-ADxrujMmN8aDPXfYUMbGzw-1; Tue, 28 Dec 2021 12:11:29 -0500 X-MC-Unique: ADxrujMmN8aDPXfYUMbGzw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 293F8102C8D6; Tue, 28 Dec 2021 17:11:27 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id EC18F77440; Tue, 28 Dec 2021 17:10:48 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Eric Biederman , Kees Cook , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Laurent Vivier , YunQiang Su , Helge Deller , Wander Lairson Costa , Andrew Morton , Jens Axboe , Alexey Gladkov , David Hildenbrand , Rolf Eike Beer , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC v2 2/4] process: add the PF_SUID flag Date: Tue, 28 Dec 2021 14:09:06 -0300 Message-Id: <20211228170910.623156-3-wander@redhat.com> In-Reply-To: <20211228170910.623156-1-wander@redhat.com> References: <20211228170910.623156-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If the binary file in an execve system call is a suid executable, we add the PF_SUID flag to the process and all its future new children and threads. In a later commit, we will use this information to determine if it is safe to core dump such a process. Signed-off-by: Wander Lairson Costa --- fs/exec.c | 4 ++++ include/linux/sched.h | 1 + kernel/fork.c | 2 ++ 3 files changed, 7 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index ec07b36fdbb4..81d6ab9a4f64 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1309,6 +1309,10 @@ int begin_new_exec(struct linux_binprm * bprm) =20 me->flags &=3D ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD | PF_NOFREEZE | PF_NO_SETAFFINITY); + + if (bprm->suid_bin) + me->flags |=3D PF_SUID; + flush_thread(); me->personality &=3D ~bprm->per_clear; =20 diff --git a/include/linux/sched.h b/include/linux/sched.h index 78c351e35fec..8ec2f907fb89 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1683,6 +1683,7 @@ extern struct pid *cad_pid; #define PF_KTHREAD 0x00200000 /* I am a kernel thread */ #define PF_RANDOMIZE 0x00400000 /* Randomize virtual address space */ #define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */ +#define PF_SUID 0x01000000 /* The process comes from a suid/sgid binary = */ #define PF_NO_SETAFFINITY 0x04000000 /* Userland is not allowed to meddle = with cpus_mask */ #define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy= */ #define PF_MEMALLOC_PIN 0x10000000 /* Allocation context constrained to z= ones which allow long term pinning. */ diff --git a/kernel/fork.c b/kernel/fork.c index 3244cc56b697..f0375d102b57 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2076,6 +2076,8 @@ static __latent_entropy struct task_struct *copy_proc= ess( delayacct_tsk_init(p); /* Must remain after dup_task_struct() */ p->flags &=3D ~(PF_SUPERPRIV | PF_WQ_WORKER | PF_IDLE | PF_NO_SETAFFINITY= ); p->flags |=3D PF_FORKNOEXEC; + if (current->flags & PF_SUID) + p->flags |=3D PF_SUID; INIT_LIST_HEAD(&p->children); INIT_LIST_HEAD(&p->sibling); rcu_copy_process(p); --=20 2.27.0 From nobody Wed Jul 1 06:47:09 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7882AC433FE for ; Tue, 28 Dec 2021 17:12:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236698AbhL1RM2 (ORCPT ); Tue, 28 Dec 2021 12:12:28 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:44500 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233056AbhL1RM1 (ORCPT ); Tue, 28 Dec 2021 12:12:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640711546; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K2bAtOvojdga/7paLAB6jMZTvffzBYx7Nr0h6WOmw3s=; b=aJVNq34Q7L11xZmh2DWeNfzerhpwhoIFYi0XTrAmFy2Cu13mvpELsraP+iAp66Nxr+JASN zBiqAKCFJ6E4J6GGZqSrrc95kFlIb8nu7HUo2Fc9mzRNZjOVSJpMANX/BglRVWQd1QJCug +K9J4sOIOUVcn6kubKtCaTBi9Q+7XWQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-86-iizx6YkiMZW0EyZFpaH5MA-1; Tue, 28 Dec 2021 12:12:23 -0500 X-MC-Unique: iizx6YkiMZW0EyZFpaH5MA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 22044102C8A0; Tue, 28 Dec 2021 17:12:21 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2057177440; Tue, 28 Dec 2021 17:11:29 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Eric Biederman , Kees Cook , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , YunQiang Su , Laurent Vivier , Wander Lairson Costa , Helge Deller , Andrew Morton , Alexey Gladkov , Jens Axboe , David Hildenbrand , Rolf Eike Beer , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC v2 3/4] coredump: mitigate privilege escalation of process coredump Date: Tue, 28 Dec 2021 14:09:07 -0300 Message-Id: <20211228170910.623156-4-wander@redhat.com> In-Reply-To: <20211228170910.623156-1-wander@redhat.com> References: <20211228170910.623156-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" A set-uid executable might be a vector to a privilege escalation if the system configures the coredump file name pattern as a relative directory destiny. The full description of the vulnerability and a demonstration of how we can exploit it can be found at [1]. We now check if the core dump pattern is relative. If it is, then we verify if root owns the current directory and if it does, we deny writing the core file unless the directory is universally writable. [1] https://www.openwall.com/lists/oss-security/2021/10/20/2 Signed-off-by: Wander Lairson Costa --- fs/coredump.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index a6b3c196cdef..26bea87af153 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -514,6 +514,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) struct core_name cn; struct mm_struct *mm =3D current->mm; struct linux_binfmt * binfmt; + struct inode *pwd_inode; const struct cred *old_cred; struct cred *cred; int retval =3D 0; @@ -559,6 +560,20 @@ void do_coredump(const kernel_siginfo_t *siginfo) need_suid_safe =3D true; } =20 + /* + * If we are a set-uid/gid root process and the current directory is + * owned by root but not universally writable, prohibit dumps under + * this path. + * + * Mitigate https://www.openwall.com/lists/oss-security/2021/10/20/2 + */ + pwd_inode =3D current->fs->pwd.dentry->d_inode; + if (current->flags & PF_SUID && + capable(CAP_SYS_ADMIN) && + uid_eq(pwd_inode->i_uid, GLOBAL_ROOT_UID) && + !(pwd_inode->i_mode & 0002)) + need_suid_safe =3D true; + retval =3D coredump_wait(siginfo->si_signo, &core_state); if (retval < 0) goto fail_creds; --=20 2.27.0 From nobody Wed Jul 1 06:47:09 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB180C433EF for ; Tue, 28 Dec 2021 17:13:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236727AbhL1RNp (ORCPT ); Tue, 28 Dec 2021 12:13:45 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:32172 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236065AbhL1RNn (ORCPT ); Tue, 28 Dec 2021 12:13:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640711623; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PRytPH178REvN8Uq5T4UrkS8ZBRAkLw6uslccqzTXjU=; b=GKqgy18iyBdfp2dHCdkbsKMstex+/Z87ozj+6UMeiS6tqL/H9vIQwkrDg2Jwqj5mwcHnvY HKPAJIovjSddO7utoCWGTLWyi+0h2MlgEEj3hPy5iZn9/gLkaUg1EcfC5hSfwpH6Bv8CjL R/35C0tAEnjXnk9L/4NxMbG2GsJ+t6c= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-474-tAnc3_h7NpytNCGKi0S5cg-1; Tue, 28 Dec 2021 12:13:39 -0500 X-MC-Unique: tAnc3_h7NpytNCGKi0S5cg-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 97F28801B0C; Tue, 28 Dec 2021 17:13:37 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 195727744A; Tue, 28 Dec 2021 17:12:23 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Eric Biederman , Kees Cook , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Helge Deller , Laurent Vivier , YunQiang Su , Wander Lairson Costa , Andrew Morton , Alexey Gladkov , Jens Axboe , David Hildenbrand , Rolf Eike Beer , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC v2 4/4] exec: only set the suid flag if the current proc isn't root Date: Tue, 28 Dec 2021 14:09:08 -0300 Message-Id: <20211228170910.623156-5-wander@redhat.com> In-Reply-To: <20211228170910.623156-1-wander@redhat.com> References: <20211228170910.623156-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The goal of PF_SUID flag is to check if it is safe to coredump the process. If the current process is already privileged, there is no point in performing security checks because the name image is a set-uid process. Because of that, we don't set the suid flag if the forked process already runs as root. Signed-off-by: Wander Lairson Costa --- fs/exec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index 81d6ab9a4f64..1a3458c6c9b7 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1310,7 +1310,11 @@ int begin_new_exec(struct linux_binprm * bprm) me->flags &=3D ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD | PF_NOFREEZE | PF_NO_SETAFFINITY); =20 - if (bprm->suid_bin) + /* + * We set the PF_SUID flags for security reasons. There is no + * point in setting it if the parent is root. + */ + if (bprm->suid_bin && !capable(CAP_SYS_ADMIN)) me->flags |=3D PF_SUID; =20 flush_thread(); --=20 2.27.0