[thirdparty/kernel/stable-queue.git] / releases / 4.9.164 / keys-restrict-proc-keys-by-credentials-at-open-time.patch

From 4aa68e07d845562561f5e73c04aa521376e95252 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Mon, 18 Sep 2017 11:38:29 -0700
Subject: KEYS: restrict /proc/keys by credentials at open time

From: Eric Biggers <ebiggers@google.com>

commit 4aa68e07d845562561f5e73c04aa521376e95252 upstream.

When checking for permission to view keys whilst reading from
/proc/keys, we should use the credentials with which the /proc/keys file
was opened.  This is because, in a classic type of exploit, it can be
possible to bypass checks for the *current* credentials by passing the
file descriptor to a suid program.

Following commit 34dbbcdbf633 ("Make file credentials available to the
seqfile interfaces") we can finally fix it.  So let's do it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/proc.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -187,7 +187,7 @@ static int proc_keys_show(struct seq_fil
 
 	struct keyring_search_context ctx = {
 		.index_key		= key->index_key,
-		.cred			= current_cred(),
+		.cred			= m->file->f_cred,
 		.match_data.cmp		= lookup_user_key_possessed,
 		.match_data.raw_data	= key,
 		.match_data.lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
@@ -207,11 +207,7 @@ static int proc_keys_show(struct seq_fil
 		}
 	}
 
-	/* check whether the current task is allowed to view the key (assuming
-	 * non-possession)
-	 * - the caller holds a spinlock, and thus the RCU read lock, making our
-	 *   access to __current_cred() safe
-	 */
+	/* check whether the current task is allowed to view the key */
 	rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
 	if (rc < 0)
 		return 0;
Commit	Line	Data
e8e0e55a GKH	1	From 4aa68e07d845562561f5e73c04aa521376e95252 Mon Sep 17 00:00:00 2001
	2	From: Eric Biggers <ebiggers@google.com>
	3	Date: Mon, 18 Sep 2017 11:38:29 -0700
	4	Subject: KEYS: restrict /proc/keys by credentials at open time
	5
	6	From: Eric Biggers <ebiggers@google.com>
	7
	8	commit 4aa68e07d845562561f5e73c04aa521376e95252 upstream.
	9
	10	When checking for permission to view keys whilst reading from
	11	/proc/keys, we should use the credentials with which the /proc/keys file
	12	was opened. This is because, in a classic type of exploit, it can be
	13	possible to bypass checks for the current credentials by passing the
	14	file descriptor to a suid program.
	15
	16	Following commit 34dbbcdbf633 ("Make file credentials available to the
	17	seqfile interfaces") we can finally fix it. So let's do it.
	18
	19	Signed-off-by: Eric Biggers <ebiggers@google.com>
	20	Signed-off-by: David Howells <dhowells@redhat.com>
	21	Signed-off-by: Zubin Mithra <zsm@chromium.org>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	security/keys/proc.c \| 8 ++------
	26	1 file changed, 2 insertions(+), 6 deletions(-)
	27
	28	--- a/security/keys/proc.c
	29	+++ b/security/keys/proc.c
	30	@@ -187,7 +187,7 @@ static int proc_keys_show(struct seq_fil
	31
	32	struct keyring_search_context ctx = {
	33	.index_key = key->index_key,
	34	- .cred = current_cred(),
	35	+ .cred = m->file->f_cred,
	36	.match_data.cmp = lookup_user_key_possessed,
	37	.match_data.raw_data = key,
	38	.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
	39	@@ -207,11 +207,7 @@ static int proc_keys_show(struct seq_fil
	40	}
	41	}
	42
	43	- /* check whether the current task is allowed to view the key (assuming
	44	- * non-possession)
	45	- * - the caller holds a spinlock, and thus the RCU read lock, making our
	46	- * access to __current_cred() safe
	47	- */
	48	+ /* check whether the current task is allowed to view the key */
	49	rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
	50	if (rc < 0)
	51	return 0;