• Vasiliy Kulikov's avatar
    proc: fix races against execve() of /proc/PID/fd** · aa6afca5
    Vasiliy Kulikov authored
    fd* files are restricted to the task's owner, and other users may not get
    direct access to them.  But one may open any of these files and run any
    setuid program, keeping opened file descriptors.  As there are permission
    checks on open(), but not on readdir() and read(), operations on the kept
    file descriptors will not be checked.  It makes it possible to violate
    procfs permission model.
    
    Reading fdinfo/* may disclosure current fds' position and flags, reading
    directory contents of fdinfo/ and fd/ may disclosure the number of opened
    files by the target task.  This information is not sensible per se, but it
    can reveal some private information (like length of a password stored in a
    file) under certain conditions.
    
    Used existing (un)lock_trace functions to check for ptrace_may_access(),
    but instead of using EPERM return code from it use EACCES to be consistent
    with existing proc_pid_follow_link()/proc_pid_readlink() return code.  If
    they differ, attacker can guess what fds exist by analyzing stat() return
    code.  Patched handlers: stat() for fd/*, stat() and read() for fdindo/*,
    readdir() and lookup() for fd/ and fdinfo/.
    Signed-off-by: default avatarVasiliy Kulikov <segoon@openwall.com>
    Cc: Cyrill Gorcunov <gorcunov@gmail.com>
    Cc: <stable@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    aa6afca5
base.c 82 KB