[PATCH 0/1] proc: Fix ptrace-based permission checks for accessing task maps

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The recently released stable versions (eg 3.10.98, 3.12.55, 3.14.62) introduce
a bug where all access to /proc/pid/maps and /proc/pid/pagemap is denied due
to the backported commit "ptrace: use fsuid, fsgid, effective creds for fs
access checks" not modifying the mm_access() calls to include
PTRACE_MODE_FSCREDS in fs/proc/task_mmu.c and fs/proc/task_nommu.c.

This was discovered, patched, and tested on 3.10.98, but only confirmed by
source code review in 3.12.55 and 3.14.62.

The patch was made against 3.10.98, but also applies to 3.12.55 and 3.14.62.

Bug demonstration:

root@test:~# id -a
uid=0(root) gid=0(root) groups=0(root)
root@test:~# cat /proc/1/maps >/dev/null
cat: /proc/1/maps: Permission denied
root@test:~# dmesg | tail -n24
[   66.274897] ------------[ cut here ]------------
[   66.312570] WARNING: at kernel/ptrace.c:233 __ptrace_may_access+0x46/0xf9()
[   66.385110] denying ptrace access check without PTRACE_MODE_*CREDS
[   66.413088] Modules linked in: loop joydev hid_generic snd_pcm snd_page_alloc snd_timer snd processor usbhid i2c_piix4 hid soundcore psmouse thermal_sys serio_raw pcspkr evdev i2c_core parport_pc microcode parport button ac ext4 crc16 jbd2 mbcache sr_mod cdrom ata_generic sg sd_mod crc_t10dif ata_piix ohci_hcd ehci_hcd ahci libahci e1000 usbcore libata usb_common scsi_mod
[   66.724711] CPU: 0 PID: 2005 Comm: cat Not tainted 3.10.98+1-amd64 #1
[   66.793618] Hardware name: innotek GmbH VirtualBox, BIOS VirtualBox 12/01/2006
[   66.887232]  ffffffff81393e15 0000000000000000 ffffffff8103d0bd ffff880016c00200
[   66.928111]  ffff880015ecdd58 00000000000012d0 ffff880016ecad08 0000000000000001
[   66.992842]  0000000000000001 0000000000000000 ffffffff8103d16d ffffffff814f3d1f
[   67.032856] Call Trace:
[   67.092708]  [<ffffffff81393e15>] ? dump_stack+0xd/0x17
[   67.096932]  [<ffffffff8103d0bd>] ? warn_slowpath_common+0x5f/0x77
[   67.193852]  [<ffffffff8103d16d>] ? warn_slowpath_fmt+0x45/0x4a
[   67.197611]  [<ffffffff810469b0>] ? __ptrace_may_access+0x46/0xf9
[   67.201716]  [<ffffffff81047518>] ? ptrace_may_access+0x28/0x3e
[   67.293288]  [<ffffffff81061e20>] ? should_resched+0x5/0x23
[   67.296339]  [<ffffffff8103acf1>] ? mm_access+0x53/0x81
[   67.404368]  [<ffffffff811580b2>] ? m_start+0x65/0x17b
[   67.428423]  [<ffffffff811007c3>] ? kmem_cache_alloc_trace+0xc0/0xd0
[   67.429447]  [<ffffffff811294de>] ? seq_read+0x13a/0x341
[   67.432574]  [<ffffffff811105b9>] ? vfs_read+0x93/0xf5
[   67.440116]  [<ffffffff81110732>] ? SyS_read+0x51/0x80
[   67.501553]  [<ffffffff8139c949>] ? system_call_fastpath+0x16/0x1b
[   67.505709] ---[ end trace b74f9ab2dd68c613 ]---
root@test:~# cat /proc/1/pagemap >/dev/null
cat: /proc/1/pagemap: Permission denied
root@test:~# dmesg | tail -n24
[   67.505709] ---[ end trace b74f9ab2dd68c613 ]---
[  285.010343] ------------[ cut here ]------------
[  285.108449] WARNING: at kernel/ptrace.c:233 __ptrace_may_access+0x46/0xf9()
[  285.216943] denying ptrace access check without PTRACE_MODE_*CREDS
[  285.252505] Modules linked in: loop joydev hid_generic snd_pcm snd_page_alloc snd_timer snd processor usbhid i2c_piix4 hid soundcore psmouse thermal_sys serio_raw pcspkr evdev i2c_core parport_pc microcode parport button ac ext4 crc16 jbd2 mbcache sr_mod cdrom ata_generic sg sd_mod crc_t10dif ata_piix ohci_hcd ehci_hcd ahci libahci e1000 usbcore libata usb_common scsi_mod
[  285.654499] CPU: 0 PID: 2008 Comm: cat Tainted: G        W    3.10.98+1-amd64 #1
[  285.721663] Hardware name: innotek GmbH VirtualBox, BIOS VirtualBox 12/01/2006
[  285.732845]  ffffffff81393e15 0000000000000000 ffffffff8103d0bd ffff880016c025c0
[  285.768903]  ffff8800170e7d68 00000000000c12d0 ffff880016ecad08 0000000000000001
[  285.940092]  0000000000000001 ffff880016eca7b0 ffffffff8103d16d ffffffff814f3d1f
[  285.964850] Call Trace:
[  285.965703]  [<ffffffff81393e15>] ? dump_stack+0xd/0x17
[  285.967029]  [<ffffffff8103d0bd>] ? warn_slowpath_common+0x5f/0x77
[  286.025849]  [<ffffffff8103d16d>] ? warn_slowpath_fmt+0x45/0x4a
[  286.030987]  [<ffffffff810469b0>] ? __ptrace_may_access+0x46/0xf9
[  286.053425]  [<ffffffff81047518>] ? ptrace_may_access+0x28/0x3e
[  286.127192]  [<ffffffff81061e20>] ? should_resched+0x5/0x23
[  286.133879]  [<ffffffff8103acf1>] ? mm_access+0x53/0x81
[  286.141205]  [<ffffffff81158a64>] ? pagemap_read+0xa7/0x29b
[  286.154539]  [<ffffffff8139a6c4>] ? __do_page_fault+0x367/0x408
[  286.165444]  [<ffffffff811105b9>] ? vfs_read+0x93/0xf5
[  286.173136]  [<ffffffff81110732>] ? SyS_read+0x51/0x80
[  286.176403]  [<ffffffff8139c949>] ? system_call_fastpath+0x16/0x1b
[  286.230897] ---[ end trace b74f9ab2dd68c614 ]---

Corey
--
undefined@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]