On Wed, Oct 26, 2022 at 04:31:11PM -0700, Kees Cook wrote: > A common exploit pattern for ROP attacks is to abuse prepare_kernel_cred() > in order to construct escalated privileges[1]. Instead of providing a > short-hand argument (NULL) to the "daemon" argument to indicate using > init_cred as the base cred, require that "daemon" is always set to > an actual task. Replace all existing callers that were passing NULL > with &init_task. > > Future attacks will need to have sufficiently powerful read/write > primitives to have found an appropriately privileged task and written it > to the ROP stack as an argument to succeed, which is similarly difficult > to the prior effort needed to escalate privileges before struct cred > existed: locate the current cred and overwrite the uid member. > > This has the added benefit of meaning that prepare_kernel_cred() can no > longer exceed the privileges of the init task, which may have changed from > the original init_cred (e.g. dropping capabilities from the bounding set). > > [1] https://google.com/search?q=commit_creds(prepare_kernel_cred(0)) > > Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: Luis Chamberlain <mcgrof@xxxxxxxxxx> > Cc: Russ Weight <russell.h.weight@xxxxxxxxx> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Cc: "Rafael J. Wysocki" <rafael@xxxxxxxxxx> > Cc: Steve French <sfrench@xxxxxxxxx> > Cc: Paulo Alcantara <pc@xxxxxx> > Cc: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> > Cc: Shyam Prasad N <sprasad@xxxxxxxxxxxxx> > Cc: Tom Talpey <tom@xxxxxxxxxx> > Cc: Namjae Jeon <linkinjeon@xxxxxxxxxx> > Cc: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx> > Cc: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx> > Cc: Anna Schumaker <anna@xxxxxxxxxx> > Cc: Chuck Lever <chuck.lever@xxxxxxxxxx> > Cc: Jeff Layton <jlayton@xxxxxxxxxx> > Cc: "David S. Miller" <davem@xxxxxxxxxxxxx> > Cc: Eric Dumazet <edumazet@xxxxxxxxxx> > Cc: Jakub Kicinski <kuba@xxxxxxxxxx> > Cc: Paolo Abeni <pabeni@xxxxxxxxxx> > Cc: "Michal Koutný" <mkoutny@xxxxxxxx> > Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> > Cc: linux-cifs@xxxxxxxxxxxxxxx > Cc: samba-technical@xxxxxxxxxxxxxxx > Cc: linux-nfs@xxxxxxxxxxxxxxx > Cc: netdev@xxxxxxxxxxxxxxx > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Acked-by: Luis Chamberlain <mcgrof@xxxxxxxxxx> Luis
