On (22/10/26 16:31), Kees Cook wrote: > A common exploit pattern for ROP attacks is to abuse prepare_kernel_cred() > in order to construct escalated privileges[1]. Instead of providing a > short-hand argument (NULL) to the "daemon" argument to indicate using > init_cred as the base cred, require that "daemon" is always set to > an actual task. Replace all existing callers that were passing NULL > with &init_task. > > Future attacks will need to have sufficiently powerful read/write > primitives to have found an appropriately privileged task and written it > to the ROP stack as an argument to succeed, which is similarly difficult > to the prior effort needed to escalate privileges before struct cred > existed: locate the current cred and overwrite the uid member. > > This has the added benefit of meaning that prepare_kernel_cred() can no > longer exceed the privileges of the init task, which may have changed from > the original init_cred (e.g. dropping capabilities from the bounding set). Reviewed-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
