Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753237AbcD1TUW (ORCPT ); Thu, 28 Apr 2016 15:20:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59617 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751865AbcD1TUU (ORCPT ); Thu, 28 Apr 2016 15:20:20 -0400 Date: Thu, 28 Apr 2016 21:20:10 +0200 From: Mateusz Guzik To: Mathias Krause Cc: Andrew Morton , linux-kernel@vger.kernel.org, Emese Revfy , Pax Team , Al Viro , Alexey Dobriyan , Cyrill Gorcunov , Jarod Wilson Subject: Re: [PATCH] proc: prevent accessing /proc//environ until it's ready Message-ID: <20160428192009.lqoyl65l4lhnmecs@mguzik> References: <1461870258-17970-1-git-send-email-minipli@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1461870258-17970-1-git-send-email-minipli@googlemail.com> User-Agent: Mutt/1.6.0.1 (2016-04-01) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1610 Lines: 40 On Thu, Apr 28, 2016 at 09:04:18PM +0200, Mathias Krause wrote: > If /proc//environ gets read before the envp[] array is fully set > up in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying > to read more bytes than are actually written, as env_start will already > be set but env_end will still be zero, making the range calculation > underflow, allowing to read beyond the end of what has been written. > > Fix this as it is done for /proc//cmdline by testing env_end for > zero. It is, apparently, intentionally set last in create_*_tables(). > > This bug was found by the PaX size_overflow plugin that detected the > arithmetic underflow of 'this_len = env_end - (env_start + src)' when > env_end is still zero. > > Reported-at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363 > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116461 > --- > fs/proc/base.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 4f764c2ac1a5..45f2162e55b2 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -955,7 +955,8 @@ static ssize_t environ_read(struct file *file, char __user *buf, > struct mm_struct *mm = file->private_data; > unsigned long env_start, env_end; > > - if (!mm) > + /* Ensure the process spawned far enough to have an environment. */ > + if (!mm || !mm->env_end) > return 0; > > page = (char *)__get_free_page(GFP_TEMPORARY); In this case get_cmdline in mm/util.c should also be patched for completness. It tests for arg_end, but later accesses env_end. -- Mateusz Guzik