mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-11-27 01:11:31 +00:00
b2f73922d1
So the /proc/PID/stat 'wchan' field (the 30th field, which contains
the absolute kernel address of the kernel function a task is blocked in)
leaks absolute kernel addresses to unprivileged user-space:
seq_put_decimal_ull(m, ' ', wchan);
The absolute address might also leak via /proc/PID/wchan as well, if
KALLSYMS is turned off or if the symbol lookup fails for some reason:
static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
unsigned long wchan;
char symname[KSYM_NAME_LEN];
wchan = get_wchan(task);
if (lookup_symbol_name(wchan, symname) < 0) {
if (!ptrace_may_access(task, PTRACE_MODE_READ))
return 0;
seq_printf(m, "%lu", wchan);
} else {
seq_printf(m, "%s", symname);
}
return 0;
}
This isn't ideal, because for example it trivially leaks the KASLR offset
to any local attacker:
fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35)
ffffffff8123b380
Most real-life uses of wchan are symbolic:
ps -eo pid:10,tid:10,wchan:30,comm
and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat:
triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1
open("/proc/30833/wchan", O_RDONLY) = 6
There's one compatibility quirk here: procps relies on whether the
absolute value is non-zero - and we can provide that functionality
by outputing "0" or "1" depending on whether the task is blocked
(whether there's a wchan address).
These days there appears to be very little legitimate reason
user-space would be interested in the absolute address. The
absolute address is mostly historic: from the days when we
didn't have kallsyms and user-space procps had to do the
decoding itself via the System.map.
So this patch sets all numeric output to "0" or "1" and keeps only
symbolic output, in /proc/PID/wchan.
( The absolute sleep address can generally still be profiled via
perf, by tasks with sufficient privileges. )
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: kasan-dev <kasan-dev@googlegroups.com>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
||
|---|---|---|
| .. | ||
| caching | ||
| cifs | ||
| configfs | ||
| nfs | ||
| pohmelfs | ||
| .gitignore | ||
| 00-INDEX | ||
| 9p.txt | ||
| adfs.txt | ||
| affs.txt | ||
| afs.txt | ||
| autofs4-mount-control.txt | ||
| autofs4.txt | ||
| automount-support.txt | ||
| befs.txt | ||
| bfs.txt | ||
| btrfs.txt | ||
| ceph.txt | ||
| coda.txt | ||
| cramfs.txt | ||
| dax.txt | ||
| debugfs.txt | ||
| devpts.txt | ||
| directory-locking | ||
| dlmfs.txt | ||
| dnotify.txt | ||
| dnotify_test.c | ||
| ecryptfs.txt | ||
| efivarfs.txt | ||
| exofs.txt | ||
| ext2.txt | ||
| ext3.txt | ||
| ext4.txt | ||
| f2fs.txt | ||
| fiemap.txt | ||
| files.txt | ||
| fuse.txt | ||
| gfs2-glocks.txt | ||
| gfs2-uevents.txt | ||
| gfs2.txt | ||
| hfs.txt | ||
| hfsplus.txt | ||
| hpfs.txt | ||
| inotify.txt | ||
| isofs.txt | ||
| jfs.txt | ||
| Locking | ||
| locks.txt | ||
| logfs.txt | ||
| Makefile | ||
| mandatory-locking.txt | ||
| ncpfs.txt | ||
| nilfs2.txt | ||
| ntfs.txt | ||
| ocfs2.txt | ||
| omfs.txt | ||
| overlayfs.txt | ||
| path-lookup.txt | ||
| porting | ||
| proc.txt | ||
| qnx6.txt | ||
| quota.txt | ||
| ramfs-rootfs-initramfs.txt | ||
| relay.txt | ||
| romfs.txt | ||
| seq_file.txt | ||
| sharedsubtree.txt | ||
| spufs.txt | ||
| squashfs.txt | ||
| sysfs-pci.txt | ||
| sysfs-tagging.txt | ||
| sysfs.txt | ||
| sysv-fs.txt | ||
| tmpfs.txt | ||
| ubifs.txt | ||
| udf.txt | ||
| ufs.txt | ||
| vfat.txt | ||
| vfs.txt | ||
| xfs-delayed-logging-design.txt | ||
| xfs-self-describing-metadata.txt | ||
| xfs.txt | ||