Home Home > GIT Browse
diff options
authorGoldwyn Rodrigues <rgoldwyn@suse.com>2018-10-15 10:56:30 -0500
committerGoldwyn Rodrigues <rgoldwyn@suse.com>2018-10-15 10:56:59 -0500
commitb947702a9242939ed065cb5e788807174bd53da3 (patch)
parent1a4e6167962153aeaaacdb7cf856755bd137f6a6 (diff)
proc: restrict kernel stack dumps to root (git-fixes).
3 files changed, 79 insertions, 1 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 860e04c8bd..0571f2b0f1 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -515,4 +515,8 @@ a81d1ab3cad77e20c2df8baef0a35a4980fc511c # nfc: revert: not applicable
c2ef60fea2dc7f903450926aee1f9c282ea529ca # xhci: revert: no fixes backported
c4ff91dd40e2253ab6dd028011469c2c694e1e19 # drm/amd/pp: initialize result to before or'ing in data
-9c60583c0b0fd6f3a5b61fda3eb604ce218b9d25 # breaks KABI \ No newline at end of file
+9c60583c0b0fd6f3a5b61fda3eb604ce218b9d25 # breaks KABI
+babcbbc7c4e2fa7fa76417ece7c57083bee971f1 # needs read_word_at_a_time 7f1e541fc8d57
+c6718543463dbb78486ad259f884cb800df802b5 # for stacked ovl file operations
+8cf9ee5061037accf61775f438ad7513576d4413 # for stacked ovl file operations
+452061fd4521b2bf3225fc391dbe536e5f9c05e2 # depends of redirect_follow feature
diff --git a/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch b/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
new file mode 100644
index 0000000000..11036df88c
--- /dev/null
+++ b/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,73 @@
+From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri Oct 5 15:51:58 2018 -0700
+Subject: [PATCH] proc: restrict kernel stack dumps to root
+Git-commit: f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7
+References: git-fixes
+Patch-mainline: v4.19-rc7
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU. That means that
+the stack can change under the stack walker. The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers. This can cause exposure of
+kernel stack contents to userspace.
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents. See the added comment for a longer
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails. Therefore, I believe
+that this change is unlikely to break things. In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -428,6 +428,20 @@ static int proc_pid_stack(struct seq_fil
+ int err;
+ int i;
++ /*
++ * The ability to racily run the kernel stack unwinder on a running task
++ * and then observe the unwinder output is scary; while it is useful for
++ * debugging kernel issues, it can also allow an attacker to leak kernel
++ * stack contents.
++ * Doing this in a manner that is at least safe from races would require
++ * some work to ensure that the remote task can not be scheduled; and
++ * even then, this would still expose the unwinder as local attack
++ * surface.
++ * Therefore, this interface is restricted to root.
++ */
++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++ return -EACCES;
+ entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
diff --git a/series.conf b/series.conf
index 3c7d570a8b..2255db9504 100644
--- a/series.conf
+++ b/series.conf
@@ -17849,6 +17849,7 @@
+ patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch