linux/fs/proc
Jann Horn f8a00cef17 proc: restrict kernel stack dumps to root
Currently, you can use /proc/self/task/*/stack to cause a stack walk on
a task you control while it is running on another CPU.  That means that
the stack can change under the stack walker.  The stack walker does
have guards against going completely off the rails and into random
kernel memory, but it can interpret random data from your kernel stack
as instruction pointers and stack pointers.  This can cause exposure of
kernel stack contents to userspace.

Restrict the ability to inspect kernel stacks of arbitrary tasks to root
in order to prevent a local attacker from exploiting racy stack unwinding
to leak kernel task stack contents.  See the added comment for a longer
rationale.

There don't seem to be any users of this userspace API that can't
gracefully bail out if reading from the file fails.  Therefore, I believe
that this change is unlikely to break things.  In the case that this patch
does end up needing a revert, the next-best solution might be to fake a
single-entry stack based on wchan.

Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
Fixes: 2ec220e27f ("proc: add /proc/*/stack")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Ken Chen <kenchen@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-05 16:32:05 -07:00
..
array.c proc: use "unsigned int" for sigqueue length 2018-06-07 17:34:38 -07:00
base.c proc: restrict kernel stack dumps to root 2018-10-05 16:32:05 -07:00
cmdline.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00
consoles.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
cpuinfo.c x86 / CPU: Always show current CPU frequency in /proc/cpuinfo 2017-11-15 19:46:50 +01:00
devices.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
fd.c proc: use "unsigned int" in proc_fill_cache() 2018-06-07 17:34:38 -07:00
fd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
generic.c proc: smaller readlock section in readdir("/proc") 2018-08-22 10:52:45 -07:00
inode.c proc: fixup PDE allocation bloat 2018-08-22 10:52:45 -07:00
internal.h proc: spread "const" a bit 2018-08-22 10:52:46 -07:00
interrupts.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
Kconfig proc/kcore: add vmcoreinfo note to /proc/kcore 2018-08-22 10:52:46 -07:00
kcore.c fs/proc/kcore.c: fix invalid memory access in multi-page read optimization 2018-09-20 22:01:11 +02:00
kmsg.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
loadavg.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00
Makefile proc: : uninline name_to_int() 2017-11-17 16:10:00 -08:00
meminfo.c /proc/meminfo: add percpu populated pages count 2018-08-22 10:52:45 -07:00
namespaces.c procfs: switch instantiate_t to d_splice_alias() 2018-05-26 14:20:50 -04:00
nommu.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
page.c mm: mark pages in use for page tables 2018-06-07 17:34:37 -07:00
proc_net.c proc: Add a way to make network proc files writable 2018-05-18 11:46:15 +01:00
proc_sysctl.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
proc_tty.c tty: replace ->proc_fops with ->proc_show 2018-05-16 07:24:30 +02:00
root.c proc: Make inline name size calculation automatic 2018-06-15 00:48:57 -04:00
self.c proc: introduce a proc_pid_ns helper 2018-05-16 07:23:35 +02:00
softirqs.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00
stat.c proc: use "unsigned int" in /proc/stat hook 2018-08-22 10:52:46 -07:00
task_mmu.c mm: /proc/pid/smaps_rollup: convert to single value seq_file 2018-08-22 10:52:44 -07:00
task_nommu.c mm: /proc/pid/*maps remove is_pid and related wrappers 2018-08-22 10:52:44 -07:00
thread_self.c proc: introduce a proc_pid_ns helper 2018-05-16 07:23:35 +02:00
uptime.c fs/proc/uptime.c: use ktime_get_boottime_ts64 2018-08-22 10:52:45 -07:00
util.c proc: use do-while in name_to_int() 2017-11-17 16:10:00 -08:00
version.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00
vmcore.c fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds 2018-08-23 18:48:43 -07:00