From patchwork Thu Sep 27 15:33:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 10618155 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1DB12112B for ; Thu, 27 Sep 2018 15:33:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0E066286E0 for ; Thu, 27 Sep 2018 15:33:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 01DB72BAA1; Thu, 27 Sep 2018 15:33:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9AAA3286E0 for ; Thu, 27 Sep 2018 15:33:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728195AbeI0VwO (ORCPT ); Thu, 27 Sep 2018 17:52:14 -0400 Received: from mail-vs1-f73.google.com ([209.85.217.73]:53407 "EHLO mail-vs1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728020AbeI0VwO (ORCPT ); Thu, 27 Sep 2018 17:52:14 -0400 Received: by mail-vs1-f73.google.com with SMTP id f29-v6so1048548vsl.20 for ; Thu, 27 Sep 2018 08:33:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=YD6ZM+HnTsOtlUk/16jXhScztnyHopHZs+PHDuwfBRA=; b=fDrU2mfXAiU/l5hZeI/7fp/5bLFJiasObZws8Ir326GyeFaLTzyMMKAFkLbbLjw+JE +6gb5LX0WKcGN9lQeZ05Qd57YxeLOHs0Ib9kI6VuH5NKvuZbKLPpLbU0e88Tud2fzC7m bLH1y7aaiJSRYzTPjODAhCUtKEreodNi30KLM0XyBPy+xyBgxNcC5gs6qnOiFT+hcpg/ vvt6ymSYI+JB4xscxGXB/M8PaPpsjh5rO4PJKSqJfpxM+KMtIoEFOF7J8jGTnMjp9rWJ Sj82zqFObqpawadB53irfL7e2Q+UaQNYF4CazOXRc5b/21bOFYT8eztvESmEsMBkycnQ r7jQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=YD6ZM+HnTsOtlUk/16jXhScztnyHopHZs+PHDuwfBRA=; b=p7RuaMJiwYO4aX5FfOf/gMG1CX8NOC3Xg09iGsZ+8pjz57P3MrV+IallfJQ19ZV7hR QBoAWgn82pxoRrum7sC6bw67PEIcacTKepldBdtig+Jx6eLbzqTZ5J70WNFRzjRy6Fg3 WvA/2l2KAAZvpzd4aDNXYUjSGoXVCiT3TvsCI7Sz9nbY8aX8XewOXZ7qNXehtjVvAXAx TlfLfeh8GjC96CCAh7K9Mnh2gqjIlRgvMeIk+hKtX6DvJTcVThYv5ot4KGcJ8z5TlTof Tud8RfpsNeg8AyrYF8ljxfvo7AIRrvKVVbI6F/E52uIOQbS4/a716qndM/TyBbeH+rsO kWsg== X-Gm-Message-State: ABuFfohQx7AEleRJRUF5LNTavYpK1R+nCAsW7oo6xzx0vPnbDdoWXERn Msbh7jXhhbOTE2wZ7SslHZCWzs/Fxg== X-Google-Smtp-Source: ACcGV63IVoUugxs+B31IDjqaFMOeFcVNxtrgRFyiaE5zSCRf4q4LpTLQpKegopxq1ylOC5xQs+JQJHrCdw== X-Received: by 2002:a67:4195:: with SMTP id x21-v6mr6037087vsf.25.1538062405281; Thu, 27 Sep 2018 08:33:25 -0700 (PDT) Date: Thu, 27 Sep 2018 17:33:16 +0200 Message-Id: <20180927153316.200286-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog Subject: [PATCH resend] proc: restrict kernel stack dumps to root From: Jann Horn To: Andrew Morton , jannh@google.com Cc: Kees Cook , Alexey Dobriyan , Ken Chen , kernel list , "linux-fsdevel@vger.kernel.org" , Will Deacon , Laura Abbott , Andy Lutomirski , Security Officers , Catalin Marinas , Josh Poimboeuf , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Linux API Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Restrict the ability to inspect kernel stacks of arbitrary tasks to root in order to prevent a local attacker from exploiting racy stack unwinding to leak kernel task stack contents. See the added comment for a longer rationale. There don't seem to be any users of this userspace API that can't gracefully bail out if reading from the file fails. Therefore, I believe that this change is unlikely to break things. In the case that this patch does end up needing a revert, the next-best solution might be to fake a single-entry stack based on wchan. Fixes: 2ec220e27f50 ("proc: add /proc/*/stack") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Acked-by: Kees Cook --- Resending because I forgot to send this to akpm the first time. fs/proc/base.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/proc/base.c b/fs/proc/base.c index ccf86f16d9f0..7e9f07bf260d 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, unsigned long *entries; int err; + /* + * The ability to racily run the kernel stack unwinder on a running task + * and then observe the unwinder output is scary; while it is useful for + * debugging kernel issues, it can also allow an attacker to leak kernel + * stack contents. + * Doing this in a manner that is at least safe from races would require + * some work to ensure that the remote task can not be scheduled; and + * even then, this would still expose the unwinder as local attack + * surface. + * Therefore, this interface is restricted to root. + */ + if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) + return -EACCES; + entries = kmalloc_array(MAX_STACK_TRACE_DEPTH, sizeof(*entries), GFP_KERNEL); if (!entries)