deefa7f350
For both pidfd and seccomp, the __user pointer is not used. Update __receive_fd() to make writing to ufd optional via a NULL check. However, for the receive_fd_user() wrapper, ufd is NULL checked so an -EFAULT can be returned to avoid changing the SCM_RIGHTS interface behavior. Add new wrapper receive_fd() for pidfd and seccomp that does not use the ufd argument. For the new helper, the allocated fd needs to be returned on success. Update the existing callers to handle it. Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by: Sargun Dhillon <sargun@sargun.me> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Kees Cook <keescook@chromium.org>
361 lines
8.3 KiB
C
361 lines
8.3 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* scm.c - Socket level control messages processing.
|
|
*
|
|
* Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
|
|
* Alignment and value checking mods by Craig Metz
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/signal.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/sched/user.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/socket.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fcntl.h>
|
|
#include <linux/net.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/security.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/pid.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/errqueue.h>
|
|
|
|
#include <linux/uaccess.h>
|
|
|
|
#include <net/protocol.h>
|
|
#include <linux/skbuff.h>
|
|
#include <net/sock.h>
|
|
#include <net/compat.h>
|
|
#include <net/scm.h>
|
|
#include <net/cls_cgroup.h>
|
|
|
|
|
|
/*
|
|
* Only allow a user to send credentials, that they could set with
|
|
* setu(g)id.
|
|
*/
|
|
|
|
static __inline__ int scm_check_creds(struct ucred *creds)
|
|
{
|
|
const struct cred *cred = current_cred();
|
|
kuid_t uid = make_kuid(cred->user_ns, creds->uid);
|
|
kgid_t gid = make_kgid(cred->user_ns, creds->gid);
|
|
|
|
if (!uid_valid(uid) || !gid_valid(gid))
|
|
return -EINVAL;
|
|
|
|
if ((creds->pid == task_tgid_vnr(current) ||
|
|
ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
|
|
((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
|
|
uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) &&
|
|
((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
|
|
gid_eq(gid, cred->sgid)) || ns_capable(cred->user_ns, CAP_SETGID))) {
|
|
return 0;
|
|
}
|
|
return -EPERM;
|
|
}
|
|
|
|
static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
|
|
{
|
|
int *fdp = (int*)CMSG_DATA(cmsg);
|
|
struct scm_fp_list *fpl = *fplp;
|
|
struct file **fpp;
|
|
int i, num;
|
|
|
|
num = (cmsg->cmsg_len - sizeof(struct cmsghdr))/sizeof(int);
|
|
|
|
if (num <= 0)
|
|
return 0;
|
|
|
|
if (num > SCM_MAX_FD)
|
|
return -EINVAL;
|
|
|
|
if (!fpl)
|
|
{
|
|
fpl = kmalloc(sizeof(struct scm_fp_list), GFP_KERNEL);
|
|
if (!fpl)
|
|
return -ENOMEM;
|
|
*fplp = fpl;
|
|
fpl->count = 0;
|
|
fpl->max = SCM_MAX_FD;
|
|
fpl->user = NULL;
|
|
}
|
|
fpp = &fpl->fp[fpl->count];
|
|
|
|
if (fpl->count + num > fpl->max)
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* Verify the descriptors and increment the usage count.
|
|
*/
|
|
|
|
for (i=0; i< num; i++)
|
|
{
|
|
int fd = fdp[i];
|
|
struct file *file;
|
|
|
|
if (fd < 0 || !(file = fget_raw(fd)))
|
|
return -EBADF;
|
|
*fpp++ = file;
|
|
fpl->count++;
|
|
}
|
|
|
|
if (!fpl->user)
|
|
fpl->user = get_uid(current_user());
|
|
|
|
return num;
|
|
}
|
|
|
|
void __scm_destroy(struct scm_cookie *scm)
|
|
{
|
|
struct scm_fp_list *fpl = scm->fp;
|
|
int i;
|
|
|
|
if (fpl) {
|
|
scm->fp = NULL;
|
|
for (i=fpl->count-1; i>=0; i--)
|
|
fput(fpl->fp[i]);
|
|
free_uid(fpl->user);
|
|
kfree(fpl);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL(__scm_destroy);
|
|
|
|
int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
|
|
{
|
|
struct cmsghdr *cmsg;
|
|
int err;
|
|
|
|
for_each_cmsghdr(cmsg, msg) {
|
|
err = -EINVAL;
|
|
|
|
/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
|
|
/* The first check was omitted in <= 2.2.5. The reasoning was
|
|
that parser checks cmsg_len in any case, so that
|
|
additional check would be work duplication.
|
|
But if cmsg_level is not SOL_SOCKET, we do not check
|
|
for too short ancillary data object at all! Oops.
|
|
OK, let's add it...
|
|
*/
|
|
if (!CMSG_OK(msg, cmsg))
|
|
goto error;
|
|
|
|
if (cmsg->cmsg_level != SOL_SOCKET)
|
|
continue;
|
|
|
|
switch (cmsg->cmsg_type)
|
|
{
|
|
case SCM_RIGHTS:
|
|
if (!sock->ops || sock->ops->family != PF_UNIX)
|
|
goto error;
|
|
err=scm_fp_copy(cmsg, &p->fp);
|
|
if (err<0)
|
|
goto error;
|
|
break;
|
|
case SCM_CREDENTIALS:
|
|
{
|
|
struct ucred creds;
|
|
kuid_t uid;
|
|
kgid_t gid;
|
|
if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
|
|
goto error;
|
|
memcpy(&creds, CMSG_DATA(cmsg), sizeof(struct ucred));
|
|
err = scm_check_creds(&creds);
|
|
if (err)
|
|
goto error;
|
|
|
|
p->creds.pid = creds.pid;
|
|
if (!p->pid || pid_vnr(p->pid) != creds.pid) {
|
|
struct pid *pid;
|
|
err = -ESRCH;
|
|
pid = find_get_pid(creds.pid);
|
|
if (!pid)
|
|
goto error;
|
|
put_pid(p->pid);
|
|
p->pid = pid;
|
|
}
|
|
|
|
err = -EINVAL;
|
|
uid = make_kuid(current_user_ns(), creds.uid);
|
|
gid = make_kgid(current_user_ns(), creds.gid);
|
|
if (!uid_valid(uid) || !gid_valid(gid))
|
|
goto error;
|
|
|
|
p->creds.uid = uid;
|
|
p->creds.gid = gid;
|
|
break;
|
|
}
|
|
default:
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
if (p->fp && !p->fp->count)
|
|
{
|
|
kfree(p->fp);
|
|
p->fp = NULL;
|
|
}
|
|
return 0;
|
|
|
|
error:
|
|
scm_destroy(p);
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(__scm_send);
|
|
|
|
int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
|
|
{
|
|
int cmlen = CMSG_LEN(len);
|
|
|
|
if (msg->msg_flags & MSG_CMSG_COMPAT)
|
|
return put_cmsg_compat(msg, level, type, len, data);
|
|
|
|
if (!msg->msg_control || msg->msg_controllen < sizeof(struct cmsghdr)) {
|
|
msg->msg_flags |= MSG_CTRUNC;
|
|
return 0; /* XXX: return error? check spec. */
|
|
}
|
|
if (msg->msg_controllen < cmlen) {
|
|
msg->msg_flags |= MSG_CTRUNC;
|
|
cmlen = msg->msg_controllen;
|
|
}
|
|
|
|
if (msg->msg_control_is_user) {
|
|
struct cmsghdr __user *cm = msg->msg_control_user;
|
|
struct cmsghdr cmhdr;
|
|
|
|
cmhdr.cmsg_level = level;
|
|
cmhdr.cmsg_type = type;
|
|
cmhdr.cmsg_len = cmlen;
|
|
if (copy_to_user(cm, &cmhdr, sizeof cmhdr) ||
|
|
copy_to_user(CMSG_USER_DATA(cm), data, cmlen - sizeof(*cm)))
|
|
return -EFAULT;
|
|
} else {
|
|
struct cmsghdr *cm = msg->msg_control;
|
|
|
|
cm->cmsg_level = level;
|
|
cm->cmsg_type = type;
|
|
cm->cmsg_len = cmlen;
|
|
memcpy(CMSG_DATA(cm), data, cmlen - sizeof(*cm));
|
|
}
|
|
|
|
cmlen = min(CMSG_SPACE(len), msg->msg_controllen);
|
|
msg->msg_control += cmlen;
|
|
msg->msg_controllen -= cmlen;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(put_cmsg);
|
|
|
|
void put_cmsg_scm_timestamping64(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
|
|
{
|
|
struct scm_timestamping64 tss;
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
|
|
tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
|
|
tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
|
|
}
|
|
|
|
put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_NEW, sizeof(tss), &tss);
|
|
}
|
|
EXPORT_SYMBOL(put_cmsg_scm_timestamping64);
|
|
|
|
void put_cmsg_scm_timestamping(struct msghdr *msg, struct scm_timestamping_internal *tss_internal)
|
|
{
|
|
struct scm_timestamping tss;
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(tss.ts); i++) {
|
|
tss.ts[i].tv_sec = tss_internal->ts[i].tv_sec;
|
|
tss.ts[i].tv_nsec = tss_internal->ts[i].tv_nsec;
|
|
}
|
|
|
|
put_cmsg(msg, SOL_SOCKET, SO_TIMESTAMPING_OLD, sizeof(tss), &tss);
|
|
}
|
|
EXPORT_SYMBOL(put_cmsg_scm_timestamping);
|
|
|
|
static int scm_max_fds(struct msghdr *msg)
|
|
{
|
|
if (msg->msg_controllen <= sizeof(struct cmsghdr))
|
|
return 0;
|
|
return (msg->msg_controllen - sizeof(struct cmsghdr)) / sizeof(int);
|
|
}
|
|
|
|
void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
|
|
{
|
|
struct cmsghdr __user *cm =
|
|
(__force struct cmsghdr __user *)msg->msg_control;
|
|
unsigned int o_flags = (msg->msg_flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
|
|
int fdmax = min_t(int, scm_max_fds(msg), scm->fp->count);
|
|
int __user *cmsg_data = CMSG_USER_DATA(cm);
|
|
int err = 0, i;
|
|
|
|
/* no use for FD passing from kernel space callers */
|
|
if (WARN_ON_ONCE(!msg->msg_control_is_user))
|
|
return;
|
|
|
|
if (msg->msg_flags & MSG_CMSG_COMPAT) {
|
|
scm_detach_fds_compat(msg, scm);
|
|
return;
|
|
}
|
|
|
|
for (i = 0; i < fdmax; i++) {
|
|
err = receive_fd_user(scm->fp->fp[i], cmsg_data + i, o_flags);
|
|
if (err < 0)
|
|
break;
|
|
}
|
|
|
|
if (i > 0) {
|
|
int cmlen = CMSG_LEN(i * sizeof(int));
|
|
|
|
err = put_user(SOL_SOCKET, &cm->cmsg_level);
|
|
if (!err)
|
|
err = put_user(SCM_RIGHTS, &cm->cmsg_type);
|
|
if (!err)
|
|
err = put_user(cmlen, &cm->cmsg_len);
|
|
if (!err) {
|
|
cmlen = CMSG_SPACE(i * sizeof(int));
|
|
if (msg->msg_controllen < cmlen)
|
|
cmlen = msg->msg_controllen;
|
|
msg->msg_control += cmlen;
|
|
msg->msg_controllen -= cmlen;
|
|
}
|
|
}
|
|
|
|
if (i < scm->fp->count || (scm->fp->count && fdmax <= 0))
|
|
msg->msg_flags |= MSG_CTRUNC;
|
|
|
|
/*
|
|
* All of the files that fit in the message have had their usage counts
|
|
* incremented, so we just free the list.
|
|
*/
|
|
__scm_destroy(scm);
|
|
}
|
|
EXPORT_SYMBOL(scm_detach_fds);
|
|
|
|
struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
|
|
{
|
|
struct scm_fp_list *new_fpl;
|
|
int i;
|
|
|
|
if (!fpl)
|
|
return NULL;
|
|
|
|
new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
|
|
GFP_KERNEL);
|
|
if (new_fpl) {
|
|
for (i = 0; i < fpl->count; i++)
|
|
get_file(fpl->fp[i]);
|
|
new_fpl->max = new_fpl->count;
|
|
new_fpl->user = get_uid(fpl->user);
|
|
}
|
|
return new_fpl;
|
|
}
|
|
EXPORT_SYMBOL(scm_fp_dup);
|