• Jann Horn's avatar
    proc: restrict kernel stack dumps to root · f8566a92
    Jann Horn authored
    commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
    
    Currently, you can use /proc/self/task/*/stack to cause a stack walk on
    a task you control while it is running on another CPU.  That means that
    the stack can change under the stack walker.  The stack walker does
    have guards against going completely off the rails and into random
    kernel memory, but it can interpret random data from your kernel stack
    as instruction pointers and stack pointers.  This can cause exposure of
    kernel stack contents to userspace.
    
    Restrict the ability to inspect kernel stacks of arbitrary tasks to root
    in order to prevent a local attacker from exploiting racy stack unwinding
    to leak kernel task stack contents.  See the added comment for a longer
    rationale.
    
    There don't seem to be any users of this userspace API that can't
    gracefully bail out if reading from the file fails.  Therefore, I believe
    that this change is unlikely to break things.  In the case that this patch
    does end up needing a revert, the next-best solution might be to fake a
    single-entry stack based on wchan.
    
    Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
    Fixes: 2ec220e2 ("proc: add /proc/*/stack")
    Signed-off-by: 's avatarJann Horn <jannh@google.com>
    Acked-by: 's avatarKees Cook <keescook@chromium.org>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Cc: Ken Chen <kenchen@google.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Laura Abbott <labbott@redhat.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: "H . Peter Anvin" <hpa@zytor.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: 's avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    f8566a92
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
array.c Loading commit data...
base.c Loading commit data...
cmdline.c Loading commit data...
consoles.c Loading commit data...
cpuinfo.c Loading commit data...
devices.c Loading commit data...
fd.c Loading commit data...
fd.h Loading commit data...
generic.c Loading commit data...
inode.c Loading commit data...
internal.h Loading commit data...
interrupts.c Loading commit data...
kcore.c Loading commit data...
kmsg.c Loading commit data...
loadavg.c Loading commit data...
meminfo.c Loading commit data...
namespaces.c Loading commit data...
nommu.c Loading commit data...
page.c Loading commit data...
proc_net.c Loading commit data...
proc_sysctl.c Loading commit data...
proc_tty.c Loading commit data...
root.c Loading commit data...
self.c Loading commit data...
softirqs.c Loading commit data...
stat.c Loading commit data...
task_mmu.c Loading commit data...
task_nommu.c Loading commit data...
thread_self.c Loading commit data...
uptime.c Loading commit data...
version.c Loading commit data...
vmcore.c Loading commit data...