Commit 3c1c24d9 authored Nov 30, 2019 by Mike Rapoport Committed by Linus Torvalds Dec 01, 2019

userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK

A while ago Andy noticed
(http://lkml.kernel.org/r/CALCETrWY+5ynDct7eU_nDUqx=okQvjm=Y5wJvA4ahBja=CQXGw@mail.gmail.com)
that UFFD_FEATURE_EVENT_FORK used by an unprivileged user may have
security implications.

As the first step of the solution the following patch limits the availably
of UFFD_FEATURE_EVENT_FORK only for those having CAP_SYS_PTRACE.

The usage of CAP_SYS_PTRACE ensures compatibility with CRIU.

Yet, if there are other users of non-cooperative userfaultfd that run
without CAP_SYS_PTRACE, they would be broken :(

Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file
descriptor table from the read() implementation of uffd, which may have
security implications for unprivileged use of the userfaultfd.

Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have
CAP_SYS_PTRACE.

Link: http://lkml.kernel.org/r/1572967777-8812-2-git-send-email-rppt@linux.ibm.com


Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Daniel Colascione <dancol@google.com>
Cc: Jann Horn <jannh@google.com>
Cc: Lokesh Gidra <lokeshgidra@google.com>
Cc: Nick Kralevich <nnk@google.com>
Cc: Nosh Minwalla <nosh@google.com>
Cc: Pavel Emelyanov <ovzxemul@gmail.com>
Cc: Tim Murray <timmurray@google.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 9d4678eb

fs/userfaultfd.c

+11 −7

Original line number	Diff line number	Diff line
		@@ -1835,13 +1835,12 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
		if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api)))
		goto out;
		features = uffdio_api.features;
		if (uffdio_api.api != UFFD_API \|\| (features & ~UFFD_API_FEATURES)) {
		memset(&uffdio_api, 0, sizeof(uffdio_api));
		if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
		goto out;
		ret = -EINVAL;
		goto out;
		}
		if (uffdio_api.api != UFFD_API \|\| (features & ~UFFD_API_FEATURES))
		goto err_out;
		ret = -EPERM;
		if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE))
		goto err_out;
		/* report all available features and ioctls to userland */
		uffdio_api.features = UFFD_API_FEATURES;
		uffdio_api.ioctls = UFFD_API_IOCTLS;
		@@ -1854,6 +1853,11 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
		ret = 0;
		out:
		return ret;
		err_out:
		memset(&uffdio_api, 0, sizeof(uffdio_api));
		if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
		ret = -EFAULT;
		goto out;
		}

		static long userfaultfd_ioctl(struct file *file, unsigned cmd,

Admin message