diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-22 12:26:00 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-22 13:19:43 +0200 |
| commit | 967c59486b44ad1a7d84f72f55c865c34ea49dd7 (patch) | |
| tree | 743c15ee966433b023cf30ab5e69384b7f258915 /patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | |
| parent | e7236d8d1dad1bd73357aac2db6d5a98cc8b1425 (diff) | |
| download | enea-kernel-cache-967c59486b44ad1a7d84f72f55c865c34ea49dd7.tar.gz | |
proc: CVE-2018-17972
proc: restrict kernel stack dumps to root
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-17972
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=f8566a92ab75d442a823453414c6158b0b3c5ce7
Change-Id: I3cb00847d9952ee0eb5d76ba0bc96fd27fb64da9
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Diffstat (limited to 'patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch')
| -rw-r--r-- | patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch new file mode 100644 index 0000000..3879f94 --- /dev/null +++ b/patches/cve/CVE-2018-17972-proc-restrict-kernel-stack-dumps-to-root.patch | |||
| @@ -0,0 +1,79 @@ | |||
| 1 | From f8566a92ab75d442a823453414c6158b0b3c5ce7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jann Horn <jannh@google.com> | ||
| 3 | Date: Fri, 5 Oct 2018 15:51:58 -0700 | ||
| 4 | Subject: [PATCH] proc: restrict kernel stack dumps to root | ||
| 5 | |||
| 6 | commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream. | ||
| 7 | |||
| 8 | Currently, you can use /proc/self/task/*/stack to cause a stack walk on | ||
| 9 | a task you control while it is running on another CPU. That means that | ||
| 10 | the stack can change under the stack walker. The stack walker does | ||
| 11 | have guards against going completely off the rails and into random | ||
| 12 | kernel memory, but it can interpret random data from your kernel stack | ||
| 13 | as instruction pointers and stack pointers. This can cause exposure of | ||
| 14 | kernel stack contents to userspace. | ||
| 15 | |||
| 16 | Restrict the ability to inspect kernel stacks of arbitrary tasks to root | ||
| 17 | in order to prevent a local attacker from exploiting racy stack unwinding | ||
| 18 | to leak kernel task stack contents. See the added comment for a longer | ||
| 19 | rationale. | ||
| 20 | |||
| 21 | There don't seem to be any users of this userspace API that can't | ||
| 22 | gracefully bail out if reading from the file fails. Therefore, I believe | ||
| 23 | that this change is unlikely to break things. In the case that this patch | ||
| 24 | does end up needing a revert, the next-best solution might be to fake a | ||
| 25 | single-entry stack based on wchan. | ||
| 26 | |||
| 27 | CVE: CVE-2018-17972 | ||
| 28 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=f8566a92ab75d442a823453414c6158b0b3c5ce7] | ||
| 29 | |||
| 30 | Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com | ||
| 31 | Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") | ||
| 32 | Signed-off-by: Jann Horn <jannh@google.com> | ||
| 33 | Acked-by: Kees Cook <keescook@chromium.org> | ||
| 34 | Cc: Alexey Dobriyan <adobriyan@gmail.com> | ||
| 35 | Cc: Ken Chen <kenchen@google.com> | ||
| 36 | Cc: Will Deacon <will.deacon@arm.com> | ||
| 37 | Cc: Laura Abbott <labbott@redhat.com> | ||
| 38 | Cc: Andy Lutomirski <luto@amacapital.net> | ||
| 39 | Cc: Catalin Marinas <catalin.marinas@arm.com> | ||
| 40 | Cc: Josh Poimboeuf <jpoimboe@redhat.com> | ||
| 41 | Cc: Thomas Gleixner <tglx@linutronix.de> | ||
| 42 | Cc: Ingo Molnar <mingo@redhat.com> | ||
| 43 | Cc: "H . Peter Anvin" <hpa@zytor.com> | ||
| 44 | Cc: <stable@vger.kernel.org> | ||
| 45 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | ||
| 46 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 47 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 48 | --- | ||
| 49 | fs/proc/base.c | 14 ++++++++++++++ | ||
| 50 | 1 file changed, 14 insertions(+) | ||
| 51 | |||
| 52 | diff --git a/fs/proc/base.c b/fs/proc/base.c | ||
| 53 | index c5c42f3e33d1..9063738ff1f0 100644 | ||
| 54 | --- a/fs/proc/base.c | ||
| 55 | +++ b/fs/proc/base.c | ||
| 56 | @@ -431,6 +431,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, | ||
| 57 | int err; | ||
| 58 | int i; | ||
| 59 | |||
| 60 | + /* | ||
| 61 | + * The ability to racily run the kernel stack unwinder on a running task | ||
| 62 | + * and then observe the unwinder output is scary; while it is useful for | ||
| 63 | + * debugging kernel issues, it can also allow an attacker to leak kernel | ||
| 64 | + * stack contents. | ||
| 65 | + * Doing this in a manner that is at least safe from races would require | ||
| 66 | + * some work to ensure that the remote task can not be scheduled; and | ||
| 67 | + * even then, this would still expose the unwinder as local attack | ||
| 68 | + * surface. | ||
| 69 | + * Therefore, this interface is restricted to root. | ||
| 70 | + */ | ||
| 71 | + if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) | ||
| 72 | + return -EACCES; | ||
| 73 | + | ||
| 74 | entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL); | ||
| 75 | if (!entries) | ||
| 76 | return -ENOMEM; | ||
| 77 | -- | ||
| 78 | 2.19.2 | ||
| 79 | |||