Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3924109imm;
        Mon, 8 Oct 2018 11:46:04 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63h996mEo+jtAtDy5Tg4nKZFjd0MAzJlCcCV6gFfTZ1cWDGWMCfOBXVYKdD1Sd3xQi2r/bJ
X-Received: by 2002:a63:aa48:: with SMTP id x8-v6mr21777811pgo.87.1539024364626;
        Mon, 08 Oct 2018 11:46:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539024364; cv=none;
        d=google.com; s=arc-20160816;
        b=yXVAR5ymg0uoaFtERudDJF5Zl9FLOebdyubA9zhXSON6tyVghjW4HXQIDb1M9yv7DO
         WfC5JZlpmCaiQq43FtMAVHOFxRegV+8dNa22bwjnBb+n82mYlY3drN4i39uVxcP6jJvA
         LIgCld99CRfbJh5LWvi8PWl1hUdJq6B1nZGEsRzZLM8OxVPUsWiQDfW2Cgy2ZKge7tIs
         vbykxCe5Z3SolMBWjqw/jx4iCxfzTZgcZbWIa6fSYwhThh9fSjdf1o9yQb0zJIurKUuQ
         EMGhHiXHVST2D4uZhuzeDivB3cpbN0H68C518bdybAWoys3UUaOdk/xDUVho/R66L2sL
         uXFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=5EvOSKzgJboxBWVHr938hg0Fw++ttFRjDTSARYjmVqQ=;
        b=tplkwDs8SafGz2lBx3BjvAjhCfK2/Xi7i2eOdd4LN7wM7Tsx8ypXz/5Dx4HA4Gnz9p
         ZpXFg0HgK9YVcn9xP/1CGVhqq/7WNlO99ERcMnVl6J15wtgTF7pZzMws48N+YTJMzHvH
         PA9EIieiexFfV1HjWpNZZd5laXwN+7e9pCki52Hu6Kot/ffVyKQFUHnDrctn3MGgb6WX
         GTVh58EJ3O1QzkUBQbsjsg7RvcqBWkQZcllhKjWzDsPxkn24m6m6QxUveunEC7gEYvY2
         ShhIdpH7ktQErR45Y/f0SlHpv2fCy9//rGPskro3zwFE+ZBeDuBhB7E67/f3UfOIJwxU
         TwYg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VVLMivIy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k10-v6si17198201plt.328.2018.10.08.11.45.48;
        Mon, 08 Oct 2018 11:46:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=VVLMivIy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730917AbeJIB6N (ORCPT <rfc822;jandrusk@gmail.com> + 99 others);
        Mon, 8 Oct 2018 21:58:13 -0400
Received: from mail.kernel.org ([198.145.29.99]:46226 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730200AbeJIB6M (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 21:58:12 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D368D2064A;
        Mon,  8 Oct 2018 18:45:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539024306;
        bh=Dds1G6JLi5hToRArz7J4zm8SYZZQHwpk3TWoaNprbrw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=VVLMivIyTUOFDFBE4GC6Ski3zqxizGyIaHGCwQ9jWf8rc5XIVVvtOEADYLbC4DioB
         NTrvpIPqmJWci8mAVa2UB0Nq0T2+iTliQIXGCGBMSrjUDcCJ3uFn8UskrSFGh1lqkW
         v38npUtDhinkQaG/o19Z7YBCy54kZE15n+pMsnzM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Ken Chen <kenchen@google.com>,
        Will Deacon <will.deacon@arm.com>,
        Laura Abbott <labbott@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H . Peter Anvin" <hpa@zytor.com>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 4.14 92/94] proc: restrict kernel stack dumps to root
Date:   Mon,  8 Oct 2018 20:32:13 +0200
Message-Id: <20181008175610.936204107@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20181008175605.067676667@linuxfoundation.org>
References: <20181008175605.067676667@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.

Currently, you can use /proc/self/task/*/stack to cause a stack walk on
a task you control while it is running on another CPU.  That means that
the stack can change under the stack walker.  The stack walker does
have guards against going completely off the rails and into random
kernel memory, but it can interpret random data from your kernel stack
as instruction pointers and stack pointers.  This can cause exposure of
kernel stack contents to userspace.

Restrict the ability to inspect kernel stacks of arbitrary tasks to root
in order to prevent a local attacker from exploiting racy stack unwinding
to leak kernel task stack contents.  See the added comment for a longer
rationale.

There don't seem to be any users of this userspace API that can't
gracefully bail out if reading from the file fails.  Therefore, I believe
that this change is unlikely to break things.  In the case that this patch
does end up needing a revert, the next-best solution might be to fake a
single-entry stack based on wchan.

Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Ken Chen <kenchen@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/base.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -431,6 +431,20 @@ static int proc_pid_stack(struct seq_fil
 	int err;
 	int i;
 
+	/*
+	 * The ability to racily run the kernel stack unwinder on a running task
+	 * and then observe the unwinder output is scary; while it is useful for
+	 * debugging kernel issues, it can also allow an attacker to leak kernel
+	 * stack contents.
+	 * Doing this in a manner that is at least safe from races would require
+	 * some work to ensure that the remote task can not be scheduled; and
+	 * even then, this would still expose the unwinder as local attack
+	 * surface.
+	 * Therefore, this interface is restricted to root.
+	 */
+	if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
+		return -EACCES;
+
 	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
 	if (!entries)
 		return -ENOMEM;