[CRIU] PR_SET_MM_MAP and capability check

Cyrill Gorcunov gorcunov at gmail.com
Thu Jun 16 07:18:19 PDT 2016


On Thu, Jun 16, 2016 at 04:08:04PM +0200, Takashi Iwai wrote:
> Hi,
> 
> while dealing with a security issue CVE-2016-1583, I noticed that
> PR_SET_MM_MAP is executed before the capability check in
> kernel/sys.c.  This is one of the things the crasher code in that bug
> is abusing.  Now I wonder whether it's safer to move it after the
> capability check like other PR_SET_MM_* calls.

Other calls as far as I remember operate with individual mm fields,
that's why they are under caps.

> 
> My understanding is that it's done for allowing non-root user to C/R.

Exactly.

> But, currently C/R by a non-root user doesn't work properly in anyway
> (most of NS and other tweaks need CAP_SYS_RESOURCES or CAP_SYS_ADMIN),
> and leaving this might be seen as a weak point.

Well, indeed there are places in kernel which we've not yet addressed,
but we are hoping to with time, so I would prefer to not make it back
under caps protection.

Takashi, could you please point/explain how exactly this prctl code
can be abused?


More information about the CRIU mailing list