Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3932174imm; Mon, 8 Oct 2018 11:54:30 -0700 (PDT) X-Google-Smtp-Source: ACcGV63CglDT/0RyM1ewfyluZWVkz2zwngE5grvBWL08bQveK0SPSVmD7fxEpNDtFhW70Nph5Vi/ X-Received: by 2002:a63:5353:: with SMTP id t19-v6mr22074360pgl.199.1539024870759; Mon, 08 Oct 2018 11:54:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024870; cv=none; d=google.com; s=arc-20160816; b=yQ8K9u/9eX0eLGxyD0ZedlR8Kn5v8k6IxHMG4vyekbQYCNcTe45LbjZ3hSItU3J9Ar f72/ZU+defmXpmOFkpj2ikZZqe9YewipLndFPGONOK41nO148TuHLMq2pMjUO8Hq0DAv uE2iP3BnhBnWQuQpZOKBtQQRUyxqjmYNmyjPmbh35keHX41n4xy0wX2JKu/cLlTUXa07 RWIi0IBK/bov/vbfTFWjbh2jhLCxIo9CFu0OfqJJXyY0jXOap+gqLbz+DbvYIvGgqk3R tyAiI7R0GS13be1AY6bIsaqmH9KuL/1scpr9nLLR0TwD8zU92SysWKblW2qSJTp9jAUF T3Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=r/lI97AxkPbKD6FxpzBq/c14bFSrQpLPWkwjsc+FudY=; b=HfEjSOwC1XXim3WhnpAmGm/QiDYsJZk7lu7tpVjWp4I/JYAZwhUqTX359yX0dz3AHX 1y1Y/N82KMSswIMF/nXN0Uerjw3+lUOwWnhleSb8boKLAXycRtoaLXFWLgWdvHqpmzQk 3+ZCq4V4P3C6T3701rKDc9j8RTWl2+lMcAjrrxHVHuz+E3iCMrUHUSnLyNrjSorsdI51 CI5KG2ldAJhHQo4jybHIe4pmrNQG95ErNLjbP6M9EYv+cCgOpsJE/kDTemmI7KlSIwPO BaZA/japoarX6LqDgI/oB7iSt09IuzAy2pKqzDpvvexBUPEI1dyXLkkfVIblz8wAeMPy LR2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wq9isYWu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5-v6si17700522pgg.559.2018.10.08.11.54.15; Mon, 08 Oct 2018 11:54:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wq9isYWu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732877AbeJICHO (ORCPT + 99 others); Mon, 8 Oct 2018 22:07:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:57746 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727670AbeJICHO (ORCPT ); Mon, 8 Oct 2018 22:07:14 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2554B204FD; Mon, 8 Oct 2018 18:54:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024845; bh=tA2ilpF3uDbSfNszcqgY0mNvLGKBP214/XPBAP/9iMY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wq9isYWuhPJoPvvl6Uyx9gf2b+6q8QFguP63pgjpkTxj1FKHZyVWV0goP7nvd5cZQ D/lYJJnglilcENBSWV3pnet+psiZW/Rq6L6ccfYEc09KvziruajOoyUNg7P9pTDoUW 3BL3axA2/EiL1i+YBC5y98dBgnXD29cMn2g6W3mU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Kees Cook , Alexey Dobriyan , Ken Chen , Will Deacon , Laura Abbott , Andy Lutomirski , Catalin Marinas , Josh Poimboeuf , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Andrew Morton Subject: [PATCH 4.18 165/168] proc: restrict kernel stack dumps to root Date: Mon, 8 Oct 2018 20:32:25 +0200 Message-Id: <20181008175626.327328666@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream. Currently, you can use /proc/self/task/*/stack to cause a stack walk on a task you control while it is running on another CPU. That means that the stack can change under the stack walker. The stack walker does have guards against going completely off the rails and into random kernel memory, but it can interpret random data from your kernel stack as instruction pointers and stack pointers. This can cause exposure of kernel stack contents to userspace. Restrict the ability to inspect kernel stacks of arbitrary tasks to root in order to prevent a local attacker from exploiting racy stack unwinding to leak kernel task stack contents. See the added comment for a longer rationale. There don't seem to be any users of this userspace API that can't gracefully bail out if reading from the file fails. Therefore, I believe that this change is unlikely to break things. In the case that this patch does end up needing a revert, the next-best solution might be to fake a single-entry stack based on wchan. Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") Signed-off-by: Jann Horn Acked-by: Kees Cook Cc: Alexey Dobriyan Cc: Ken Chen Cc: Will Deacon Cc: Laura Abbott Cc: Andy Lutomirski Cc: Catalin Marinas Cc: Josh Poimboeuf Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H . Peter Anvin" Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- fs/proc/base.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_fil unsigned long *entries; int err; + /* + * The ability to racily run the kernel stack unwinder on a running task + * and then observe the unwinder output is scary; while it is useful for + * debugging kernel issues, it can also allow an attacker to leak kernel + * stack contents. + * Doing this in a manner that is at least safe from races would require + * some work to ensure that the remote task can not be scheduled; and + * even then, this would still expose the unwinder as local attack + * surface. + * Therefore, this interface is restricted to root. + */ + if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) + return -EACCES; + entries = kmalloc_array(MAX_STACK_TRACE_DEPTH, sizeof(*entries), GFP_KERNEL); if (!entries)