Commit 7f7ccc2c authored by Willy Tarreau's avatar Willy Tarreau Committed by Linus Torvalds
Browse files

proc: do not access cmdline nor environ from file-backed areas 



proc_pid_cmdline_read() and environ_read() directly access the target
process' VM to retrieve the command line and environment. If this
process remaps these areas onto a file via mmap(), the requesting
process may experience various issues such as extra delays if the
underlying device is slow to respond.

Let's simply refuse to access file-backed areas in these functions.
For this we add a new FOLL_ANON gup flag that is passed to all calls
to access_remote_vm(). The code already takes care of such failures
(including unmapped areas). Accesses via /proc/pid/mem were not
changed though.

This was assigned CVE-2018-1120.

Note for stable backports: the patch may apply to kernels prior to 4.11
but silently miss one location; it must be checked that no call to
access_remote_vm() keeps zero as the last argument.

Reported-by: default avatarQualys Security Advisory <qsa@qualys.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent e6506eb2

fs/proc/base.c

+4 −4
Original line number Diff line number Diff line
@@ -261,7 +261,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, 
	 * Inherently racy -- command line shares address space

	 * with code and data.

	 */

	rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);

	rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON);

	if (rv <= 0)

		goto out_free_page;
@@ -279,7 +279,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, 
			int nr_read;



			_count = min3(count, len, PAGE_SIZE);

			nr_read = access_remote_vm(mm, p, page, _count, 0);

			nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);

			if (nr_read < 0)

				rv = nr_read;

			if (nr_read <= 0)
@@ -325,7 +325,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf, 
				bool final;



				_count = min3(count, len, PAGE_SIZE);

				nr_read = access_remote_vm(mm, p, page, _count, 0);

				nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);

				if (nr_read < 0)

					rv = nr_read;

				if (nr_read <= 0)
@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file *file, char __user *buf, 
		max_len = min_t(size_t, PAGE_SIZE, count);

		this_len = min(max_len, this_len);



		retval = access_remote_vm(mm, (env_start + src), page, this_len, 0);

		retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON);



		if (retval <= 0) {

			ret = retval;

include/linux/mm.h

+1 −0
Original line number Diff line number Diff line
@@ -2493,6 +2493,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, 
#define FOLL_MLOCK	0x1000	/* lock present pages */

#define FOLL_REMOTE	0x2000	/* we are working on non-current tsk/mm */

#define FOLL_COW	0x4000	/* internal GUP flag */

#define FOLL_ANON	0x8000	/* don't do file mappings */



static inline int vm_fault_to_errno(int vm_fault, int foll_flags)

{

mm/gup.c

+3 −0
Original line number Diff line number Diff line
@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags) 
	if (vm_flags & (VM_IO | VM_PFNMAP))

		return -EFAULT;



	if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))

		return -EFAULT;



	if (write) {

		if (!(vm_flags & VM_WRITE)) {

			if (!(gup_flags & FOLL_FORCE))

CRA Git | Maintained and supported by SUSTech CRA and CCSE