RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 03:27:34 +00:00
Code Issues Activity Actions

Kernel: Guard Process "protected data" with a spinlock

Browse source 
This ensures that both mutable and immutable access to the protected
data of a process is serialized.

Note that there may still be multiple TOCTOU issues around this, as we
have a bunch of convenience accessors that make it easy to introduce
them. We'll need to audit those as well.
This commit is contained in:
Andreas Kling 2022-08-21 12:18:26 +02:00
parent 728c3fbd14
commit 8ed06ad814
11 changed files with 348 additions and 300 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Kernel/Syscalls/disown.cpp
View file

@ -17,8 +17,9 @@ ErrorOr<FlatPtr> Process::sys$disown(ProcessID pid)
return ESRCH;
if (process->ppid() != this->pid())
return ECHILD;
ProtectedDataMutationScope scope(*process);
process->m_protected_values.ppid = 0;
process->with_mutable_protected_data([](auto& protected_data) {
protected_data.ppid = 0;
});
process->disowned_by_waiter(*this);
return 0;
}

26
Kernel/Syscalls/execve.cpp
View file

@ -542,11 +542,10 @@ ErrorOr<void> Process::do_exec(NonnullLockRefPtr<OpenFileDescription> main_progr
kill_threads_except_self();
{
ProtectedDataMutationScope scope { *this };
m_protected_values.credentials = move(new_credentials);
}
set_dumpable(!executable_is_setid);
with_mutable_protected_data([&](auto& protected_data) {
protected_data.credentials = move(new_credentials);
protected_data.dumpable = !executable_is_setid;
});
// We make sure to enter the new address space before destroying the old one.
// This ensures that the process always has a valid page directory.
@ -627,19 +626,18 @@ ErrorOr<void> Process::do_exec(NonnullLockRefPtr<OpenFileDescription> main_progr
// NOTE: Be careful to not trigger any page faults below!
{
ProtectedDataMutationScope scope { *this };
m_protected_values.promises = m_protected_values.execpromises.load();
m_protected_values.has_promises = m_protected_values.has_execpromises.load();
with_mutable_protected_data([&](auto& protected_data) {
protected_data.promises = protected_data.execpromises.load();
protected_data.has_promises = protected_data.has_execpromises.load();
m_protected_values.execpromises = 0;
m_protected_values.has_execpromises = false;
protected_data.execpromises = 0;
protected_data.has_execpromises = false;
m_protected_values.signal_trampoline = signal_trampoline_region->vaddr();
protected_data.signal_trampoline = signal_trampoline_region->vaddr();
// FIXME: PID/TID ISSUE
m_protected_values.pid = new_main_thread->tid().value();
}
protected_data.pid = new_main_thread->tid().value();
});
auto tsr_result = new_main_thread->make_thread_specific_region({});
if (tsr_result.is_error()) {

9
Kernel/Syscalls/exit.cpp
View file

@ -18,11 +18,10 @@ void Process::sys$exit(int status)
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
}
{
ProtectedDataMutationScope scope { *this };
m_protected_values.termination_status = status;
m_protected_values.termination_signal = 0;
}
with_mutable_protected_data([status](auto& protected_data) {
protected_data.termination_status = status;
protected_data.termination_signal = 0;
});
auto* current_thread = Thread::current();
current_thread->set_profiling_suppressed();

25
Kernel/Syscalls/fork.cpp
View file

@ -49,18 +49,19 @@ ErrorOr<FlatPtr> Process::sys$fork(RegisterState& regs)
child->m_pg = m_pg;
{
ProtectedDataMutationScope scope { *child };
child->m_protected_values.promises = m_protected_values.promises.load();
child->m_protected_values.execpromises = m_protected_values.execpromises.load();
child->m_protected_values.has_promises = m_protected_values.has_promises.load();
child->m_protected_values.has_execpromises = m_protected_values.has_execpromises.load();
child->m_protected_values.sid = m_protected_values.sid;
child->m_protected_values.credentials = m_protected_values.credentials;
child->m_protected_values.umask = m_protected_values.umask;
child->m_protected_values.signal_trampoline = m_protected_values.signal_trampoline;
child->m_protected_values.dumpable = m_protected_values.dumpable;
}
with_protected_data([&](auto& my_protected_data) {
child->with_mutable_protected_data([&](auto& child_protected_data) {
child_protected_data.promises = my_protected_data.promises.load();
child_protected_data.execpromises = my_protected_data.execpromises.load();
child_protected_data.has_promises = my_protected_data.has_promises.load();
child_protected_data.has_execpromises = my_protected_data.has_execpromises.load();
child_protected_data.sid = my_protected_data.sid;
child_protected_data.credentials = my_protected_data.credentials;
child_protected_data.umask = my_protected_data.umask;
child_protected_data.signal_trampoline = my_protected_data.signal_trampoline;
child_protected_data.dumpable = my_protected_data.dumpable;
});
});
dbgln_if(FORK_DEBUG, "fork: child={}", child);
child->address_space().set_enforces_syscall_regions(address_space().enforces_syscall_regions());

55
Kernel/Syscalls/pledge.cpp
View file

@ -46,43 +46,48 @@ ErrorOr<FlatPtr> Process::sys$pledge(Userspace<Syscall::SC_pledge_params const*>
if (promises) {
if (!parse_pledge(promises->view(), new_promises))
return EINVAL;
if (m_protected_values.has_promises && (new_promises & ~m_protected_values.promises)) {
if (!(m_protected_values.promises & (1u << (u32)Pledge::no_error)))
return EPERM;
new_promises &= m_protected_values.promises;
}
}
u32 new_execpromises = 0;
if (execpromises) {
if (!parse_pledge(execpromises->view(), new_execpromises))
return EINVAL;
if (m_protected_values.has_execpromises && (new_execpromises & ~m_protected_values.execpromises)) {
if (!(m_protected_values.promises & (1u << (u32)Pledge::no_error)))
return EPERM;
new_execpromises &= m_protected_values.execpromises;
}
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
if (promises) {
if (protected_data.has_promises && (new_promises & ~protected_data.promises)) {
if (!(protected_data.promises & (1u << (u32)Pledge::no_error)))
return EPERM;
new_promises &= protected_data.promises;
}
}
}
// Only apply promises after all validation has occurred, this ensures
// we don't introduce logic bugs like applying the promises, and then
// erroring out when parsing the exec promises later. Such bugs silently
// leave the caller in an unexpected state.
if (execpromises) {
if (protected_data.has_execpromises && (new_execpromises & ~protected_data.execpromises)) {
if (!(protected_data.promises & (1u << (u32)Pledge::no_error)))
return EPERM;
new_execpromises &= protected_data.execpromises;
}
}
ProtectedDataMutationScope scope { *this };
// Only apply promises after all validation has occurred, this ensures
// we don't introduce logic bugs like applying the promises, and then
// erroring out when parsing the exec promises later. Such bugs silently
// leave the caller in an unexpected state.
if (promises) {
m_protected_values.has_promises = true;
m_protected_values.promises = new_promises;
}
if (promises) {
protected_data.has_promises = true;
protected_data.promises = new_promises;
}
if (execpromises) {
m_protected_values.has_execpromises = true;
m_protected_values.execpromises = new_execpromises;
}
if (execpromises) {
protected_data.has_execpromises = true;
protected_data.execpromises = new_execpromises;
}
return 0;
return 0;
});
}
}

2
Kernel/Syscalls/process.cpp
View file

@ -20,7 +20,7 @@ ErrorOr<FlatPtr> Process::sys$getppid()
{
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::stdio));
return m_protected_values.ppid.value();
return with_protected_data([](auto& protected_data) { return protected_data.ppid.value(); });
}
ErrorOr<FlatPtr> Process::sys$get_process_name(Userspace<char*> buffer, size_t buffer_size)

7
Kernel/Syscalls/setpgid.cpp
View file

@ -40,9 +40,10 @@ ErrorOr<FlatPtr> Process::sys$setsid()
m_pg = TRY(ProcessGroup::try_create(ProcessGroupID(pid().value())));
m_tty = nullptr;
ProtectedDataMutationScope scope { *this };
m_protected_values.sid = pid().value();
return sid().value();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
protected_data.sid = pid().value();
return protected_data.sid.value();
});
}
ErrorOr<FlatPtr> Process::sys$getpgid(pid_t pid)

348
Kernel/Syscalls/setuid.cpp
View file

@ -17,27 +17,27 @@ ErrorOr<FlatPtr> Process::sys$seteuid(UserID new_euid)
if (new_euid == (uid_t)-1)
return EINVAL;
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_euid != credentials->uid() && new_euid != credentials->suid() && !credentials->is_superuser())
return EPERM;
if (new_euid != credentials->uid() && new_euid != credentials->suid() && !credentials->is_superuser())
return EPERM;
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
new_euid,
credentials->egid(),
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
new_euid,
credentials->egid(),
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->euid() != new_euid)
protected_data.dumpable = false;
if (credentials->euid() != new_euid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setegid(GroupID new_egid)
@ -48,27 +48,27 @@ ErrorOr<FlatPtr> Process::sys$setegid(GroupID new_egid)
if (new_egid == (uid_t)-1)
return EINVAL;
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_egid != credentials->gid() && new_egid != credentials->sgid() && !credentials->is_superuser())
return EPERM;
if (new_egid != credentials->gid() && new_egid != credentials->sgid() && !credentials->is_superuser())
return EPERM;
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
new_egid,
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
new_egid,
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->egid() != new_egid)
protected_data.dumpable = false;
if (credentials->egid() != new_egid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setuid(UserID new_uid)
@ -79,27 +79,27 @@ ErrorOr<FlatPtr> Process::sys$setuid(UserID new_uid)
if (new_uid == (uid_t)-1)
return EINVAL;
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_uid != credentials->uid() && new_uid != credentials->euid() && !credentials->is_superuser())
return EPERM;
if (new_uid != credentials->uid() && new_uid != credentials->euid() && !credentials->is_superuser())
return EPERM;
auto new_credentials = TRY(Credentials::create(
new_uid,
credentials->gid(),
new_uid,
credentials->egid(),
new_uid,
credentials->sgid(),
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
new_uid,
credentials->gid(),
new_uid,
credentials->egid(),
new_uid,
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->euid() != new_uid)
protected_data.dumpable = false;
if (credentials->euid() != new_uid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setgid(GroupID new_gid)
@ -110,27 +110,27 @@ ErrorOr<FlatPtr> Process::sys$setgid(GroupID new_gid)
if (new_gid == (uid_t)-1)
return EINVAL;
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_gid != credentials->gid() && new_gid != credentials->egid() && !credentials->is_superuser())
return EPERM;
if (new_gid != credentials->gid() && new_gid != credentials->egid() && !credentials->is_superuser())
return EPERM;
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
new_gid,
credentials->euid(),
new_gid,
credentials->suid(),
new_gid,
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
new_gid,
credentials->euid(),
new_gid,
credentials->suid(),
new_gid,
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->egid() != new_gid)
protected_data.dumpable = false;
if (credentials->egid() != new_gid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setreuid(UserID new_ruid, UserID new_euid)
@ -138,36 +138,36 @@ ErrorOr<FlatPtr> Process::sys$setreuid(UserID new_ruid, UserID new_euid)
VERIFY_NO_PROCESS_BIG_LOCK(this);
TRY(require_promise(Pledge::id));
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_ruid == (uid_t)-1)
new_ruid = credentials->uid();
if (new_euid == (uid_t)-1)
new_euid = credentials->euid();
if (new_ruid == (uid_t)-1)
new_ruid = credentials->uid();
if (new_euid == (uid_t)-1)
new_euid = credentials->euid();
auto ok = [&credentials](UserID id) { return id == credentials->uid() || id == credentials->euid() || id == credentials->suid(); };
if (!ok(new_ruid) || !ok(new_euid))
return EPERM;
auto ok = [&credentials](UserID id) { return id == credentials->uid() || id == credentials->euid() || id == credentials->suid(); };
if (!ok(new_ruid) || !ok(new_euid))
return EPERM;
if (new_ruid < (uid_t)-1 || new_euid < (uid_t)-1)
return EINVAL;
if (new_ruid < (uid_t)-1 || new_euid < (uid_t)-1)
return EINVAL;
auto new_credentials = TRY(Credentials::create(
new_ruid,
credentials->gid(),
new_euid,
credentials->egid(),
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
new_ruid,
credentials->gid(),
new_euid,
credentials->egid(),
credentials->suid(),
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->euid() != new_euid)
protected_data.dumpable = false;
if (credentials->euid() != new_euid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setresuid(UserID new_ruid, UserID new_euid, UserID new_suid)
@ -175,35 +175,35 @@ ErrorOr<FlatPtr> Process::sys$setresuid(UserID new_ruid, UserID new_euid, UserID
VERIFY_NO_PROCESS_BIG_LOCK(this);
TRY(require_promise(Pledge::id));
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_ruid == (uid_t)-1)
new_ruid = credentials->uid();
if (new_euid == (uid_t)-1)
new_euid = credentials->euid();
if (new_suid == (uid_t)-1)
new_suid = credentials->suid();
if (new_ruid == (uid_t)-1)
new_ruid = credentials->uid();
if (new_euid == (uid_t)-1)
new_euid = credentials->euid();
if (new_suid == (uid_t)-1)
new_suid = credentials->suid();
auto ok = [&credentials](UserID id) { return id == credentials->uid() || id == credentials->euid() || id == credentials->suid(); };
if ((!ok(new_ruid) || !ok(new_euid) || !ok(new_suid)) && !credentials->is_superuser())
return EPERM;
auto ok = [&credentials](UserID id) { return id == credentials->uid() || id == credentials->euid() || id == credentials->suid(); };
if ((!ok(new_ruid) || !ok(new_euid) || !ok(new_suid)) && !credentials->is_superuser())
return EPERM;
auto new_credentials = TRY(Credentials::create(
new_ruid,
credentials->gid(),
new_euid,
credentials->egid(),
new_suid,
credentials->sgid(),
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
new_ruid,
credentials->gid(),
new_euid,
credentials->egid(),
new_suid,
credentials->sgid(),
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->euid() != new_euid)
protected_data.dumpable = false;
if (credentials->euid() != new_euid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setresgid(GroupID new_rgid, GroupID new_egid, GroupID new_sgid)
@ -211,35 +211,35 @@ ErrorOr<FlatPtr> Process::sys$setresgid(GroupID new_rgid, GroupID new_egid, Grou
VERIFY_NO_PROCESS_BIG_LOCK(this);
TRY(require_promise(Pledge::id));
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (new_rgid == (gid_t)-1)
new_rgid = credentials->gid();
if (new_egid == (gid_t)-1)
new_egid = credentials->egid();
if (new_sgid == (gid_t)-1)
new_sgid = credentials->sgid();
if (new_rgid == (gid_t)-1)
new_rgid = credentials->gid();
if (new_egid == (gid_t)-1)
new_egid = credentials->egid();
if (new_sgid == (gid_t)-1)
new_sgid = credentials->sgid();
auto ok = [&credentials](GroupID id) { return id == credentials->gid() || id == credentials->egid() || id == credentials->sgid(); };
if ((!ok(new_rgid) || !ok(new_egid) || !ok(new_sgid)) && !credentials->is_superuser())
return EPERM;
auto ok = [&credentials](GroupID id) { return id == credentials->gid() || id == credentials->egid() || id == credentials->sgid(); };
if ((!ok(new_rgid) || !ok(new_egid) || !ok(new_sgid)) && !credentials->is_superuser())
return EPERM;
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
new_rgid,
credentials->euid(),
new_egid,
credentials->suid(),
new_sgid,
credentials->extra_gids()));
auto new_credentials = TRY(Credentials::create(
credentials->uid(),
new_rgid,
credentials->euid(),
new_egid,
credentials->suid(),
new_sgid,
credentials->extra_gids()));
ProtectedDataMutationScope scope { *this };
if (credentials->egid() != new_egid)
protected_data.dumpable = false;
if (credentials->egid() != new_egid)
set_dumpable(false);
m_protected_values.credentials = move(new_credentials);
return 0;
protected_data.credentials = move(new_credentials);
return 0;
});
}
ErrorOr<FlatPtr> Process::sys$setgroups(size_t count, Userspace<GroupID const*> user_gids)
@ -250,49 +250,49 @@ ErrorOr<FlatPtr> Process::sys$setgroups(size_t count, Userspace<GroupID const*>
if (count > NGROUPS_MAX)
return EINVAL;
auto credentials = this->credentials();
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto credentials = this->credentials();
if (!credentials->is_superuser())
return EPERM;
if (!credentials->is_superuser())
return EPERM;
if (!count) {
ProtectedDataMutationScope scope { *this };
m_protected_values.credentials = TRY(Credentials::create(
if (!count) {
protected_data.credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
credentials->egid(),
credentials->suid(),
credentials->sgid(),
{}));
return 0;
}
Vector<GroupID> new_extra_gids;
TRY(new_extra_gids.try_resize(count));
TRY(copy_n_from_user(new_extra_gids.data(), user_gids, count));
HashTable<GroupID> unique_extra_gids;
for (auto& extra_gid : new_extra_gids) {
if (extra_gid != credentials->gid())
TRY(unique_extra_gids.try_set(extra_gid));
}
new_extra_gids.clear_with_capacity();
for (auto extra_gid : unique_extra_gids) {
TRY(new_extra_gids.try_append(extra_gid));
}
protected_data.credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
credentials->egid(),
credentials->suid(),
credentials->sgid(),
{}));
new_extra_gids.span()));
return 0;
}
Vector<GroupID> new_extra_gids;
TRY(new_extra_gids.try_resize(count));
TRY(copy_n_from_user(new_extra_gids.data(), user_gids, count));
HashTable<GroupID> unique_extra_gids;
for (auto& extra_gid : new_extra_gids) {
if (extra_gid != credentials->gid())
TRY(unique_extra_gids.try_set(extra_gid));
}
new_extra_gids.clear_with_capacity();
for (auto extra_gid : unique_extra_gids) {
TRY(new_extra_gids.try_append(extra_gid));
}
ProtectedDataMutationScope scope { *this };
m_protected_values.credentials = TRY(Credentials::create(
credentials->uid(),
credentials->gid(),
credentials->euid(),
credentials->egid(),
credentials->suid(),
credentials->sgid(),
new_extra_gids.span()));
return 0;
});
}
}

9
Kernel/Syscalls/umask.cpp
View file

@ -12,10 +12,11 @@ ErrorOr<FlatPtr> Process::sys$umask(mode_t mask)
{
VERIFY_PROCESS_BIG_LOCK_ACQUIRED(this);
TRY(require_promise(Pledge::stdio));
auto old_mask = m_protected_values.umask;
ProtectedDataMutationScope scope { *this };
m_protected_values.umask = mask & 0777;
return old_mask;
return with_mutable_protected_data([&](auto& protected_data) -> ErrorOr<FlatPtr> {
auto old_mask = protected_data.umask;
protected_data.umask = mask & 0777;
return old_mask;
});
}
}