Commit f83ce3e6 authored by Jake Edge's avatar Jake Edge Committed by Linus Torvalds
Browse files

proc: avoid information leaks to non-privileged processes 

By using the same test as is used for /proc/pid/maps and /proc/pid/smaps,
only allow processes that can ptrace() a given process to see information
that might be used to bypass address space layout randomization (ASLR).
These include eip, esp, wchan, and start_stack in /proc/pid/stat as well
as the non-symbolic output from /proc/pid/wchan.

ASLR can be bypassed by sampling eip as shown by the proof-of-concept
code at http://code.google.com/p/fuzzyaslr/ As part of a presentation
(http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf

) esp and wchan were
also noted as possibly usable information leaks as well.  The
start_stack address also leaks potentially useful information.

Cc: Stable Team <stable@kernel.org>
Signed-off-by: default avatarJake Edge <jake@lwn.net>
Acked-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Acked-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 7fdf5230

fs/proc/array.c

+9 −4
Original line number Diff line number Diff line
@@ -80,6 +80,7 @@ 
#include <linux/delayacct.h>

#include <linux/seq_file.h>

#include <linux/pid_namespace.h>

#include <linux/ptrace.h>

#include <linux/tracehook.h>



#include <asm/pgtable.h>
@@ -352,6 +353,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, 
	char state;

	pid_t ppid = 0, pgid = -1, sid = -1;

	int num_threads = 0;

	int permitted;

	struct mm_struct *mm;

	unsigned long long start_time;

	unsigned long cmin_flt = 0, cmaj_flt = 0;
@@ -364,12 +366,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, 


	state = *get_task_state(task);

	vsize = eip = esp = 0;

	permitted = ptrace_may_access(task, PTRACE_MODE_READ);

	mm = get_task_mm(task);

	if (mm) {

		vsize = task_vsize(mm);

		if (permitted) {

			eip = KSTK_EIP(task);

			esp = KSTK_ESP(task);

		}

	}



	get_task_comm(tcomm, task);
@@ -424,7 +429,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, 
		unlock_task_sighand(task, &flags);

	}



	if (!whole || num_threads < 2)

	if (permitted && (!whole || num_threads < 2))

		wchan = get_wchan(task);

	if (!whole) {

		min_flt = task->min_flt;
@@ -476,7 +481,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, 
		rsslim,

		mm ? mm->start_code : 0,

		mm ? mm->end_code : 0,

		mm ? mm->start_stack : 0,

		(permitted && mm) ? mm->start_stack : 0,

		esp,

		eip,

		/* The signal information here is obsolete.

fs/proc/base.c

+4 −1
Original line number Diff line number Diff line
@@ -322,6 +322,9 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) 
	wchan = get_wchan(task);



	if (lookup_symbol_name(wchan, symname) < 0)

		if (!ptrace_may_access(task, PTRACE_MODE_READ))

			return 0;

		else

			return sprintf(buffer, "%lu", wchan);

	else

		return sprintf(buffer, "%s", symname);

CRA Git | Maintained and supported by SUSTech CRA and CCSE