Skip to content

Commit b02d7c7

Browse files
solardizsolardiz
committed
pINT: Drop a real_cred pointer corruption check on 6.13+
Drop a check introduced a few days ago, which did not take address reuse in consideration. Amends bf3439b Fixes #432
1 parent 9a002f3 commit b02d7c7

File tree

1 file changed

+7
-11
lines changed

1 file changed

+7
-11
lines changed

src/modules/exploit_detection/p_exploit_detection.c

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1229,10 +1229,11 @@ static int p_cmp_tasks(struct p_ed_process *p_orig, char p_kill) {
12291229
* each other, which lets us perform additional checks.
12301230
*
12311231
* commit_creds() changes both pointers, override_creds() only the cred
1232-
* pointer, but nothing valid changes only the real_cred pointer, so that's
1233-
* what we can detect as a violation on all kernels. This violation implies
1234-
* that the two current pointers differ from each other, but not the other
1235-
* way around.
1232+
* pointer, but nothing valid changes only the real_cred pointer.
1233+
* Unfortunately, we cannot reliably detect this as a violation on pre-6.13
1234+
* kernels because there may have been both an untracked commit_creds()
1235+
* changing both pointers and an override_creds() changing the cred pointer
1236+
* potentially in such a way that the old pointer value we saved is reused.
12361237
*
12371238
* On kernels below 6.13, we directly detect pointers differing from each
12381239
* other as a violation, which covers the above case and also unexpected
@@ -1242,18 +1243,13 @@ static int p_cmp_tasks(struct p_ed_process *p_orig, char p_kill) {
12421243
* from each other, a check of the actual subjective credentials wouldn't be
12431244
* redundant with what we performed above, so we perform it as well.
12441245
*/
1245-
if (current == p_current && unlikely(
12461246
#if LINUX_VERSION_CODE < KERNEL_VERSION(6,13,0)
1247-
p_current_real_cred != p_current_cred
1248-
#else
1249-
p_orig->p_ed_task.p_real_cred_ptr != p_current_real_cred &&
1250-
p_orig->p_ed_task.p_real_cred_ptr == p_current_cred
1251-
#endif
1252-
)) {
1247+
if (current == p_current && unlikely(p_current_real_cred != p_current_cred)) {
12531248
P_CMP_PTR(p_orig->p_ed_task.p_real_cred_ptr, p_current_real_cred, "real_cred")
12541249
p_ret += p_cmp_creds(&p_orig->p_ed_task.p_real_cred, p_current_cred, p_current);
12551250
P_CMP_PTR(p_orig->p_ed_task.p_real_cred_ptr, p_current_cred, "cred")
12561251
}
1252+
#endif
12571253

12581254
/* Namespaces */
12591255
if (p_orig->p_ed_task.p_nsproxy && (p_current == current || spin_trylock(&p_current->alloc_lock))) {

0 commit comments

Comments
 (0)