fs/proc/base.c | 3 ++- tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-)
Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread
cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD,
chmod operations on /proc/thread-self/comm were no longer blocked as
they are on almost all other procfs files.
A very similar situation with /proc/self/environ was used to as a root
exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a
correctness issue.
Ref: https://lwn.net/Articles/191954/
Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files")
Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE")
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
fs/proc/base.c | 3 ++-
tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 05452c3b9872..7394229816f3 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap,
}
static const struct inode_operations proc_tid_comm_inode_operations = {
- .permission = proc_tid_comm_permission,
+ .setattr = proc_setattr,
+ .permission = proc_tid_comm_permission,
};
/*
diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
index 486334981e60..08f0969208eb 100644
--- a/tools/testing/selftests/nolibc/nolibc-test.c
+++ b/tools/testing/selftests/nolibc/nolibc-test.c
@@ -580,6 +580,10 @@ int run_syscall(int min, int max)
CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break;
CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break;
CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break;
+ CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break;
+ CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break;
+ CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break;
+ CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break;
CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break;
CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break;
CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break;
--
2.41.0+Cc Thomas Weißschuh <thomas@t-8ch.de> as this seems quite related to
his finding about /proc/self/net:
https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@weissschuh.net/#b
On Thu, Jul 13, 2023 at 10:19:04PM +1000, Aleksa Sarai wrote:
> Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread
> cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD,
> chmod operations on /proc/thread-self/comm were no longer blocked as
> they are on almost all other procfs files.
>
> A very similar situation with /proc/self/environ was used to as a root
> exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a
> correctness issue.
>
> Ref: https://lwn.net/Articles/191954/
> Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files")
> Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE")
> Cc: stable@vger.kernel.org # v4.7+
> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
> ---
> fs/proc/base.c | 3 ++-
> tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++
> 2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 05452c3b9872..7394229816f3 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap,
> }
>
> static const struct inode_operations proc_tid_comm_inode_operations = {
> - .permission = proc_tid_comm_permission,
> + .setattr = proc_setattr,
> + .permission = proc_tid_comm_permission,
> };
>
> /*
> diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
> index 486334981e60..08f0969208eb 100644
> --- a/tools/testing/selftests/nolibc/nolibc-test.c
> +++ b/tools/testing/selftests/nolibc/nolibc-test.c
> @@ -580,6 +580,10 @@ int run_syscall(int min, int max)
> CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break;
> CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break;
> CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break;
> + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break;
> + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break;
> + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break;
> + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break;
> CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break;
> CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break;
> CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break;
> --
> 2.41.0
On 2023-07-13, Willy Tarreau <w@1wt.eu> wrote: > +Cc Thomas Weißschuh <thomas@t-8ch.de> as this seems quite related to > his finding about /proc/self/net: > > https://lore.kernel.org/lkml/20230624-proc-net-setattr-v1-0-73176812adee@weissschuh.net/#b Yeah I saw this patch and (along with an earlier discussion with Christian on the topic of chmod on symlinks -- see [1]) lead us to find that there were three other cases where this happens unintentionally: * /proc/self (on the symlink itself) * /proc/thread-self (on the symlink itself) * /proc/thread-self/comm The first two will be fixed by [1] so fixing them isn't necessary. [1]: https://lore.kernel.org/linux-fsdevel/20230712-vfs-chmod-symlinks-v2-1-08cfb92b61dd@kernel.org/ -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote:
> Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread
> cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD,
> chmod operations on /proc/thread-self/comm were no longer blocked as
> they are on almost all other procfs files.
>
> A very similar situation with /proc/self/environ was used to as a root
> exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a
> correctness issue.
>
> Ref: https://lwn.net/Articles/191954/
> Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files")
> Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE")
> Cc: stable@vger.kernel.org # v4.7+
> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
> ---
> fs/proc/base.c | 3 ++-
> tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++
> 2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 05452c3b9872..7394229816f3 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap,
> }
>
> static const struct inode_operations proc_tid_comm_inode_operations = {
> - .permission = proc_tid_comm_permission,
> + .setattr = proc_setattr,
> + .permission = proc_tid_comm_permission,
> };
Given that this seems to be a recurring theme a more systematic
aproach would help.
Something like the following (untested) patch:
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 05452c3b9872..b90f2e9cda66 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry,
set_nlink(inode, 2); /* Use getattr to fix if necessary */
if (p->iop)
inode->i_op = p->iop;
+ WARN_ON(!inode->i_op->setattr);
if (p->fop)
inode->i_fop = p->fop;
ei->op = p->op;
> /*
> diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
> index 486334981e60..08f0969208eb 100644
> --- a/tools/testing/selftests/nolibc/nolibc-test.c
> +++ b/tools/testing/selftests/nolibc/nolibc-test.c
> @@ -580,6 +580,10 @@ int run_syscall(int min, int max)
> CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break;
> CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break;
> CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break;
> + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break;
> + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break;
> + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break;
> + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break;
I'm not a big fan of this, it abuses the nolibc testsuite to test core
kernel functionality.
If this needs to be tested explicitly there is hopefully a better place.
Those existing tests focus on testing functionality provided by nolibc.
The test chmod_net just got removed because it suffered from the same
bug as /proc/thread-self/comm.
> CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break;
> CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break;
> CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break;
> --
> 2.41.0
>
On Thu, Jul 13, 2023 at 03:01:24PM +0200, Thomas Weißschuh wrote:
> On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote:
> > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread
> > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD,
> > chmod operations on /proc/thread-self/comm were no longer blocked as
> > they are on almost all other procfs files.
> >
> > A very similar situation with /proc/self/environ was used to as a root
> > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a
> > correctness issue.
> >
> > Ref: https://lwn.net/Articles/191954/
> > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files")
> > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE")
> > Cc: stable@vger.kernel.org # v4.7+
> > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
> > ---
> > fs/proc/base.c | 3 ++-
> > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++
> > 2 files changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/proc/base.c b/fs/proc/base.c
> > index 05452c3b9872..7394229816f3 100644
> > --- a/fs/proc/base.c
> > +++ b/fs/proc/base.c
> > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap,
> > }
> >
> > static const struct inode_operations proc_tid_comm_inode_operations = {
> > - .permission = proc_tid_comm_permission,
> > + .setattr = proc_setattr,
> > + .permission = proc_tid_comm_permission,
> > };
>
> Given that this seems to be a recurring theme a more systematic
> aproach would help.
>
> Something like the following (untested) patch:
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 05452c3b9872..b90f2e9cda66 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry,
> set_nlink(inode, 2); /* Use getattr to fix if necessary */
> if (p->iop)
> inode->i_op = p->iop;
> + WARN_ON(!inode->i_op->setattr);
Hm, no. This is hacky.
To fix this properly we will need to wean off notify_change() from
falling back to simple_setattr() when no i_op->setattr() method is
defined. To do that we will have to go through every filesystem and port
all that rely on this fallback to set simple_setattr() explicitly as
their i_op->setattr() method.
Christoph and I just discussed this in relation to another patch.
This is a bugfix so it should be as minimal as possible for easy
backport.
© 2016 - 2026 Red Hat, Inc.