In order to perform future tests against the cred saved during open(), switch kallsyms_show_value() to operate on a cred, and have all current callers pass current_cred(). This makes it very obvious where callers are checking the wrong credential in their "read" contexts. These will be fixed in the coming patches.
Additionally switch return value to bool, since it is always used as a direct permission check, not a 0-on-success, negative-on-error style function return.
Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org --- include/linux/filter.h | 2 +- include/linux/kallsyms.h | 5 +++-- kernel/kallsyms.c | 17 +++++++++++------ kernel/kprobes.c | 4 ++-- kernel/module.c | 2 +- 5 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h index 259377723603..55104f6c78e8 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -889,7 +889,7 @@ static inline bool bpf_dump_raw_ok(void) /* Reconstruction of call-sites is dependent on kallsyms, * thus make dump the same restriction. */ - return kallsyms_show_value() == 1; + return kallsyms_show_value(current_cred()); }
struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h index 98338dc6b5d2..481273f0c72d 100644 --- a/include/linux/kallsyms.h +++ b/include/linux/kallsyms.h @@ -18,6 +18,7 @@ #define KSYM_SYMBOL_LEN (sizeof("%s+%#lx/%#lx [%s]") + (KSYM_NAME_LEN - 1) + \ 2*(BITS_PER_LONG*3/10) + (MODULE_NAME_LEN - 1) + 1)
+struct cred; struct module;
static inline int is_kernel_inittext(unsigned long addr) @@ -98,7 +99,7 @@ int lookup_symbol_name(unsigned long addr, char *symname); int lookup_symbol_attrs(unsigned long addr, unsigned long *size, unsigned long *offset, char *modname, char *name);
/* How and when do we show kallsyms values? */ -extern int kallsyms_show_value(void); +extern bool kallsyms_show_value(const struct cred *cred);
#else /* !CONFIG_KALLSYMS */
@@ -158,7 +159,7 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u return -ERANGE; }
-static inline int kallsyms_show_value(void) +static inline bool kallsyms_show_value(const struct cred *cred) { return false; } diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c index 16c8c605f4b0..bb14e64f62a4 100644 --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -644,19 +644,20 @@ static inline int kallsyms_for_perf(void) * Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to * block even that). */ -int kallsyms_show_value(void) +bool kallsyms_show_value(const struct cred *cred) { switch (kptr_restrict) { case 0: if (kallsyms_for_perf()) - return 1; + return true; /* fallthrough */ case 1: - if (has_capability_noaudit(current, CAP_SYSLOG)) - return 1; + if (security_capable(cred, &init_user_ns, CAP_SYSLOG, + CAP_OPT_NOAUDIT) == 0) + return true; /* fallthrough */ default: - return 0; + return false; } }
@@ -673,7 +674,11 @@ static int kallsyms_open(struct inode *inode, struct file *file) return -ENOMEM; reset_iter(iter, 0);
- iter->show_value = kallsyms_show_value(); + /* + * Instead of checking this on every s_show() call, cache + * the result here at open time. + */ + iter->show_value = kallsyms_show_value(file->f_cred); return 0; }
diff --git a/kernel/kprobes.c b/kernel/kprobes.c index 4a904cc56d68..d4de217e4a91 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2448,7 +2448,7 @@ static void report_probe(struct seq_file *pi, struct kprobe *p, else kprobe_type = "k";
- if (!kallsyms_show_value()) + if (!kallsyms_show_value(current_cred())) addr = NULL;
if (sym) @@ -2540,7 +2540,7 @@ static int kprobe_blacklist_seq_show(struct seq_file *m, void *v) * If /proc/kallsyms is not showing kernel address, we won't * show them here either. */ - if (!kallsyms_show_value()) + if (!kallsyms_show_value(current_cred())) seq_printf(m, "0x%px-0x%px\t%ps\n", NULL, NULL, (void *)ent->start_addr); else diff --git a/kernel/module.c b/kernel/module.c index e8a198588f26..a5022ae84e50 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -4377,7 +4377,7 @@ static int modules_open(struct inode *inode, struct file *file)
if (!err) { struct seq_file *m = file->private_data; - m->private = kallsyms_show_value() ? NULL : (void *)8ul; + m->private = kallsyms_show_value(current_cred()) ? NULL : (void *)8ul; }
return err;
Hi
[This is an automated email]
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.7.7, v5.4.50, v4.19.131, v4.14.187, v4.9.229, v4.4.229.
v5.7.7: Build OK! v5.4.50: Build OK! v4.19.131: Build OK! v4.14.187: Failed to apply! Possible dependencies: 22c8852624fc9 ("bpf: improve selftests and add tests for meta pointer") 2b7c6ba945fd3 ("bpf/verifier: improve disassembly of BPF_END instructions") 390ee7e29fc8e ("bpf: enforce return code for cgroup-bpf programs") 61bd5218eef34 ("bpf: move global verifier log into verifier environment") 7105e828c087d ("bpf: allow for correlation of maps and helpers in dump") 73c864b38383f ("bpf/verifier: improve disassembly of BPF_NEG instructions") cc8b0b92a1699 ("bpf: introduce function calls (function boundaries)") de8f3a83b0a0f ("bpf: add meta pointer for direct access") e7bf8249e8f1b ("bpf: encapsulate verifier log state into a structure") f4ac7e0b5cc8d ("bpf: move instruction printing into a separate file")
v4.9.229: Failed to apply! Possible dependencies: 0e33661de493d ("bpf: add new prog type for cgroup socket filtering") 29ba732acbeec ("bpf: Add BPF_MAP_TYPE_LRU_HASH") 2d0bde57f3527 ("include/linux/filter.h: use set_memory.h header") 3007098494bec ("cgroup: add support for eBPF programs") 3a08c2fd76345 ("bpf: LRU List") 3a0af8fd61f90 ("bpf: BPF for lightweight tunnel infrastructure") 40077e0cf6220 ("bpf: remove struct bpf_map_type_list") 546ac1ffb70d2 ("bpf: add devmap, a map for storing net device references") 56f668dfe00dc ("bpf: Add array of maps support") 6102365876003 ("bpf: Add new cgroup attach type to enable sock modifications") 7105e828c087d ("bpf: allow for correlation of maps and helpers in dump") 7bd509e311f40 ("bpf: add prog_digest and expose it via fdinfo/netlink") 820a0b24b261c ("include/linux/filter.h: use linux/set_memory.h") 8f8449384ec36 ("bpf: Add BPF_MAP_TYPE_LRU_PERCPU_HASH") b2cd12574aa3e ("bpf: Refactor cgroups code in prep for new type") b95a5c4db09bc ("bpf: add a longest prefix match trie map implementation") be9370a7d8614 ("bpf: remove struct bpf_prog_type_list") c78f8bdfa11fc ("bpf: mark all registered map/prog types as __ro_after_init") f4324551489e8 ("bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands") f4ac7e0b5cc8d ("bpf: move instruction printing into a separate file")
v4.4.229: Failed to apply! Possible dependencies: 0d01d45f1b251 ("net: cls_bpf: limit hardware offload by software-only flag") 16e5cc647173a ("net: rework setup_tc ndo op to consume general tc operand") 332ae8e2f6ecd ("net: cls_bpf: add hardware offload") 4f3446bb809f2 ("bpf: add generic constant blinding for use in jits") 5b33f48842fa1 ("net/flower: Introduce hardware offload support") 6843e7a2abe7c ("net: sched: consolidate offload decision in cls_u32") 7105e828c087d ("bpf: allow for correlation of maps and helpers in dump") 7bd509e311f40 ("bpf: add prog_digest and expose it via fdinfo/netlink") 820a0b24b261c ("include/linux/filter.h: use linux/set_memory.h") 9fd82b610ba33 ("bpf: register BPF_PROG_TYPE_TRACEPOINT program type") a1b7c5fd7fe98 ("net: sched: add cls_u32 offload hooks for netdevs") b87f7936a9324 ("net/sched: Add match-all classifier hw offloading.") bd570ff970a54 ("bpf: add event output helper for notifications/sampling/logging") c94987e40ebba ("bpf: move bpf_jit_enable declaration") e4c6734eaab90 ("net: rework ndo tc op to consume additional qdisc handle parameter")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
On Fri, Jul 10, 2020 at 02:03:06PM +0000, Sasha Levin wrote:
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.7.7, v5.4.50, v4.19.131, v4.14.187, v4.9.229, v4.4.229.
Was this test for only 1/5, or the whole series?
Thanks!
-Kees
v5.7.7: Build OK! v5.4.50: Build OK! v4.19.131: Build OK! v4.14.187: Failed to apply! Possible dependencies: 22c8852624fc9 ("bpf: improve selftests and add tests for meta pointer") 2b7c6ba945fd3 ("bpf/verifier: improve disassembly of BPF_END instructions") 390ee7e29fc8e ("bpf: enforce return code for cgroup-bpf programs") 61bd5218eef34 ("bpf: move global verifier log into verifier environment") 7105e828c087d ("bpf: allow for correlation of maps and helpers in dump") 73c864b38383f ("bpf/verifier: improve disassembly of BPF_NEG instructions") cc8b0b92a1699 ("bpf: introduce function calls (function boundaries)") de8f3a83b0a0f ("bpf: add meta pointer for direct access") e7bf8249e8f1b ("bpf: encapsulate verifier log state into a structure") f4ac7e0b5cc8d ("bpf: move instruction printing into a separate file")
v4.9.229: Failed to apply! Possible dependencies: 0e33661de493d ("bpf: add new prog type for cgroup socket filtering") 29ba732acbeec ("bpf: Add BPF_MAP_TYPE_LRU_HASH") 2d0bde57f3527 ("include/linux/filter.h: use set_memory.h header") 3007098494bec ("cgroup: add support for eBPF programs") 3a08c2fd76345 ("bpf: LRU List") 3a0af8fd61f90 ("bpf: BPF for lightweight tunnel infrastructure") 40077e0cf6220 ("bpf: remove struct bpf_map_type_list") 546ac1ffb70d2 ("bpf: add devmap, a map for storing net device references") 56f668dfe00dc ("bpf: Add array of maps support") 6102365876003 ("bpf: Add new cgroup attach type to enable sock modifications") 7105e828c087d ("bpf: allow for correlation of maps and helpers in dump") 7bd509e311f40 ("bpf: add prog_digest and expose it via fdinfo/netlink") 820a0b24b261c ("include/linux/filter.h: use linux/set_memory.h") 8f8449384ec36 ("bpf: Add BPF_MAP_TYPE_LRU_PERCPU_HASH") b2cd12574aa3e ("bpf: Refactor cgroups code in prep for new type") b95a5c4db09bc ("bpf: add a longest prefix match trie map implementation") be9370a7d8614 ("bpf: remove struct bpf_prog_type_list") c78f8bdfa11fc ("bpf: mark all registered map/prog types as __ro_after_init") f4324551489e8 ("bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands") f4ac7e0b5cc8d ("bpf: move instruction printing into a separate file")
v4.4.229: Failed to apply! Possible dependencies: 0d01d45f1b251 ("net: cls_bpf: limit hardware offload by software-only flag") 16e5cc647173a ("net: rework setup_tc ndo op to consume general tc operand") 332ae8e2f6ecd ("net: cls_bpf: add hardware offload") 4f3446bb809f2 ("bpf: add generic constant blinding for use in jits") 5b33f48842fa1 ("net/flower: Introduce hardware offload support") 6843e7a2abe7c ("net: sched: consolidate offload decision in cls_u32") 7105e828c087d ("bpf: allow for correlation of maps and helpers in dump") 7bd509e311f40 ("bpf: add prog_digest and expose it via fdinfo/netlink") 820a0b24b261c ("include/linux/filter.h: use linux/set_memory.h") 9fd82b610ba33 ("bpf: register BPF_PROG_TYPE_TRACEPOINT program type") a1b7c5fd7fe98 ("net: sched: add cls_u32 offload hooks for netdevs") b87f7936a9324 ("net/sched: Add match-all classifier hw offloading.") bd570ff970a54 ("bpf: add event output helper for notifications/sampling/logging") c94987e40ebba ("bpf: move bpf_jit_enable declaration") e4c6734eaab90 ("net: rework ndo tc op to consume additional qdisc handle parameter")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
-- Thanks Sasha
On Fri, Jul 10, 2020 at 08:57:32AM -0700, Kees Cook wrote:
On Fri, Jul 10, 2020 at 02:03:06PM +0000, Sasha Levin wrote:
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.7.7, v5.4.50, v4.19.131, v4.14.187, v4.9.229, v4.4.229.
Was this test for only 1/5, or the whole series?
Just 1/5.
linux-stable-mirror@lists.linaro.org
-
Kees Cook -
Sasha Levin