Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3916608imm;
        Mon, 8 Oct 2018 11:38:37 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63PqFQZvZlAQYYuuBaZ0Gez/PKf5+MHC2pJeukxE78/HB9aqHc/t3zottG1bUpMnwGyHOka
X-Received: by 2002:a63:4cb:: with SMTP id 194-v6mr22448267pge.183.1539023917716;
        Mon, 08 Oct 2018 11:38:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539023917; cv=none;
        d=google.com; s=arc-20160816;
        b=RxJWgupnwPxf8RggXlqgTqtM45Q/ghi/NFB9/hXqLzxmz85Aa3NPA0ixR2pv6YEXk3
         5M69/RTMwKojJ5Ru9NR903QAYHPAOicQYJ1t3b8aD9gVc9RjsgfXCB26a3EteHb2dVzJ
         SqXcoCQheUsYRQ6m30Jl56SJ42VLfZ9Ddk/HnvjPWGdOdJtUSy0CyUt1/xRZ38Js41MP
         3giqpqJrOl1kjQoDjbqanyACK6rQnAhMO1KNqd5Xwgh/ucI2AdrF5ax6ZelrnqfQzdUd
         ei5o59h63rMFVdeIeCOcOwlDgaWsxRhezj4dK4ts9KJOnJFJ1xKMBv3235vYkU1cpF/s
         wGPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=eVVfZey8Okv1oM9qeSOe/SZ9Ecx7sOozLkZqN0elKbs=;
        b=hvzsfFpSj0Omqj3U5R2vw+QHJ2Gf3fNfFQeOc9vRt5cqm+6h+rwKIKsDLyO4ET6KAg
         A/BgCteiB/qk0MrljbO14fSivpt1Wh6cU5NkRqODQ+fEckStKEZjeAPFkKX6dKlgLmT4
         NtuuHLYYIHCu7OS41BDOf/hLzInKzQGYlzHEvZXs1wulq5Y/TSo2JoVN/RtJfXNBQ7kc
         oY9d2WEZeDQCfJt6D8iD6mI97wKEWbmiFPyN3J13VgfVWF92y2r8nhOopNeiA1jg5M1g
         PjlswE7RpHibAk8Bk1d0ySh90q9sq+5RG1orLaGD1Ep+4i4LNw+GYMZOatNqH/PoV/pR
         tluQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=HUa6qWo1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b13-v6si18038435pgg.89.2018.10.08.11.38.22;
        Mon, 08 Oct 2018 11:38:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=HUa6qWo1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729012AbeJIBuv (ORCPT <rfc822;jandrusk@gmail.com> + 99 others);
        Mon, 8 Oct 2018 21:50:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:37286 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726427AbeJIBuu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 21:50:50 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id A34D72087D;
        Mon,  8 Oct 2018 18:37:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539023866;
        bh=EYPsZDQidTAeGooT9u7QHDA8ycAa0tiGTVrevzniN3Q=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=HUa6qWo1+TZzcU1aTin9pg6m1OcT4GFRrljURh2mWLUYaSFSUIFB/fgVidMQBOFCU
         piCB2c19GPO2xT78NHJsBtTpnK7yvwdkkGXAn0PWg1Enk3SRu/jZWxQeMN4bq5BHZx
         13DRZaZ0yFaEC1PS7dDa9mf6wMA00K4gzRLwTx3E=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Ken Chen <kenchen@google.com>,
        Will Deacon <will.deacon@arm.com>,
        Laura Abbott <labbott@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H . Peter Anvin" <hpa@zytor.com>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 4.4 112/113] proc: restrict kernel stack dumps to root
Date:   Mon,  8 Oct 2018 20:31:53 +0200
Message-Id: <20181008175537.432558139@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20181008175530.864641368@linuxfoundation.org>
References: <20181008175530.864641368@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.

Currently, you can use /proc/self/task/*/stack to cause a stack walk on
a task you control while it is running on another CPU.  That means that
the stack can change under the stack walker.  The stack walker does
have guards against going completely off the rails and into random
kernel memory, but it can interpret random data from your kernel stack
as instruction pointers and stack pointers.  This can cause exposure of
kernel stack contents to userspace.

Restrict the ability to inspect kernel stacks of arbitrary tasks to root
in order to prevent a local attacker from exploiting racy stack unwinding
to leak kernel task stack contents.  See the added comment for a longer
rationale.

There don't seem to be any users of this userspace API that can't
gracefully bail out if reading from the file fails.  Therefore, I believe
that this change is unlikely to break things.  In the case that this patch
does end up needing a revert, the next-best solution might be to fake a
single-entry stack based on wchan.

Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Ken Chen <kenchen@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/base.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -471,6 +471,20 @@ static int proc_pid_stack(struct seq_fil
 	int err;
 	int i;
 
+	/*
+	 * The ability to racily run the kernel stack unwinder on a running task
+	 * and then observe the unwinder output is scary; while it is useful for
+	 * debugging kernel issues, it can also allow an attacker to leak kernel
+	 * stack contents.
+	 * Doing this in a manner that is at least safe from races would require
+	 * some work to ensure that the remote task can not be scheduled; and
+	 * even then, this would still expose the unwinder as local attack
+	 * surface.
+	 * Therefore, this interface is restricted to root.
+	 */
+	if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
+		return -EACCES;
+
 	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
 	if (!entries)
 		return -ENOMEM;