From patchwork Tue Sep 11 18:39:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 10596147 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8809A13B8 for ; Tue, 11 Sep 2018 18:39:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77EBE29C93 for ; Tue, 11 Sep 2018 18:39:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6B82729C9C; Tue, 11 Sep 2018 18:39:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1312329C93 for ; Tue, 11 Sep 2018 18:39:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726863AbeIKXju (ORCPT ); Tue, 11 Sep 2018 19:39:50 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:50629 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726775AbeIKXju (ORCPT ); Tue, 11 Sep 2018 19:39:50 -0400 Received: by mail-yw1-f74.google.com with SMTP id u12-v6so15782596ywu.17 for ; Tue, 11 Sep 2018 11:39:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=jA8N4ToyH/y2/88nkwU8HeWL5jyBjgd+FrQpYzLpCG4=; b=L1PO4N6ooNOgTvZDAdWAuNyyDsoblSHhK44AZ84grrtK7ZUc35zWEScq3nvNJ3HqvX dYfbeyzdTHclaXYRO828eHYuduHpmT0gpoFEX1dDSk4uv4TzrXj6yslinsQjoAl2No+9 SG6ww/U7Z9zZVBbm4VhGFspKtkRUxBank/U/Mqns/onxbPxR7piJOf0xMlsp3Q81zRb7 iPIIb67tfDEZp0T44r+09m6lhqUEVSd924sUzFOkHycjlGWqW26b97y9YmrVUfc6BeJ1 +FodHTElVbIqBPvPunU4zjRU+KgLXWRPEjZM3/cI1r5B33aH1TekP+1BzdB0vBbjkUo0 Hksg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=jA8N4ToyH/y2/88nkwU8HeWL5jyBjgd+FrQpYzLpCG4=; b=YHEsCGbbgOZ2XY8xXJnZ7z7iBQTznfgHVeESjth6c92mT+miaXq1pqtS/oxM97R0CM 1fIUVHtuo8ZkMXduaVE+wclbi7ZyArnDDLL3EdufsfmsKBLINy8KCg7kCTGSD2tXgQqG FQ6OR1BFmGNx523tcJ7mhTYf4NO9tYLzET90YnmAqSyQuIRSKvx8k0FyAvhVYnDa011G ewxgxcYVdNAyxoVllsYdHxebAMtcvz2FJ7qXfgprNOtNGBx9FTq5gL5FC3PxWOkAQj31 GvWRLfWUDWZz+PhRIQUPs0OsDxMuKgVR6+s/ETb8v+UGcAgDmt8JvxwKxCMiALpxpUfS 3mkw== X-Gm-Message-State: APzg51BqvwhswYKiwPr6IA3JsqCKq5eZuzYiukRD04rYnfRGUxVxmG08 Jgdj3V/cPoggKPukWIaHw46dB+RDag== X-Google-Smtp-Source: ANB0VdZt81L8knkX5ivKEG+jBo1aTCuv7/Fo6l//lISTiooXyr0DBppat66yH/HipA+4PfcNyxT4TFNH6A== X-Received: by 2002:a25:a08f:: with SMTP id y15-v6mr5758025ybh.28.1536691154741; Tue, 11 Sep 2018 11:39:14 -0700 (PDT) Date: Tue, 11 Sep 2018 20:39:09 +0200 Message-Id: <20180911183909.233413-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.19.0.rc2.392.g5ba43deb5a-goog Subject: [PATCH] proc: restrict kernel stack dumps to root From: Jann Horn To: Alexey Dobriyan , jannh@google.com Cc: Ken Chen , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Will Deacon , Laura Abbott , Andy Lutomirski , security@kernel.org, Catalin Marinas , Josh Poimboeuf , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Restrict the ability to inspect kernel stacks of arbitrary tasks to root in order to prevent a local attacker from exploiting racy stack unwinding to leak kernel task stack contents. See the added comment for a longer rationale. There don't seem to be any users of this userspace API that can't gracefully bail out if reading from the file fails. Therefore, I believe that this change is unlikely to break things. In the case that this patch does end up needing a revert, the next-best solution might be to fake a single-entry stack based on wchan. Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Reviewed-by: Kees Cook --- fs/proc/base.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/proc/base.c b/fs/proc/base.c index ccf86f16d9f0..7e9f07bf260d 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, unsigned long *entries; int err; + /* + * The ability to racily run the kernel stack unwinder on a running task + * and then observe the unwinder output is scary; while it is useful for + * debugging kernel issues, it can also allow an attacker to leak kernel + * stack contents. + * Doing this in a manner that is at least safe from races would require + * some work to ensure that the remote task can not be scheduled; and + * even then, this would still expose the unwinder as local attack + * surface. + * Therefore, this interface is restricted to root. + */ + if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) + return -EACCES; + entries = kmalloc_array(MAX_STACK_TRACE_DEPTH, sizeof(*entries), GFP_KERNEL); if (!entries)