evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/security
History
Jann Horn cfaf71c993 Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set 
commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream.

There is a logic bug in the current smack_bprm_set_creds():
If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be
acceptable (e.g. because the ptracer detached in the meantime), the other
->unsafe flags aren't checked. As far as I can tell, this means that
something like the following could work (but I haven't tested it):

 - task A: create task B with fork()
 - task B: set NO_NEW_PRIVS
 - task B: install a seccomp filter that makes open() return 0 under some
   conditions
 - task B: replace fd 0 with a malicious library
 - task A: attach to task B with PTRACE_ATTACH
 - task B: execve() a file with an SMACK64EXEC extended attribute
 - task A: while task B is still in the middle of execve(), exit (which
   destroys the ptrace relationship)

Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in
bprm->unsafe, we reject the execve().

Cc: stable@vger.kernel.org
Fixes: 5663884caa ("Smack: unify all ptrace accesses in the smack")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-10-07 21:01:06 +02:00
..
apparmor apparmor: enforce nullbyte at end of tag string 2019-07-10 09:56:31 +02:00
integrity ima: fix showing large 'violations' or 'runtime_measurements_count' 2018-11-21 09:27:35 +01:00
keys keys: Fix missing null pointer check in request_key_auth_describe() 2019-09-21 07:12:53 +02:00
selinux selinux: fix memory leak in policydb_init() 2019-08-06 18:28:28 +02:00
smack Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set 2019-10-07 21:01:06 +02:00
tomoyo mm: replace get_user_pages() write/force parameters with gup_flags 2018-12-17 21:55:16 +01:00
yama Yama: Check for pid death before checking ancestry 2019-01-26 09:42:50 +01:00
commoncap.c ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-02-25 12:01:16 -08:00
device_cgroup.c device_cgroup: fix RCU imbalance in error case 2019-04-27 09:34:02 +02:00
inode.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-07-04 19:36:06 -07:00
Kconfig KPTI: Rename to PAGE_TABLE_ISOLATION 2018-01-05 15:44:26 +01:00
lsm_audit.c missing barriers in some of unix_sock ->addr and ->path accesses 2019-03-23 08:44:31 +01:00
Makefile LSM: Switch to lists of hooks 2015-05-12 15:00:41 +10:00
min_addr.c
security.c LSM: Check for NULL cred-security on free 2019-01-26 09:42:50 +01:00