The timer_stats feature was removed upstream by: commit dfb4357da6ddbdf57d583ba64361c9d792b0e0b1 Author: Kees Cook <keescook@xxxxxxxxxxxx> Date: Wed Feb 8 11:26:59 2017 -0800 time: Remove CONFIG_TIMER_STATS I'm hesitant to propose removing a feature in stable, even if it is redundant. What I've done for Debian stable is to restrict it to the initial pid namespace (see attached). Would that be a reasonable alternative change for stable branches? Ben. -- Ben Hutchings The world is coming to an end. Please log off.
From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Date: Mon, 13 Mar 2017 23:03:29 +0000 Subject: timer: Restrict timer_stats to initial PID namespace Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5967 The timer_stats facility should filter and translate PIDs if opened from a non-initial PID namespace, to avoid leaking information about the wider system. Unfortunately it has now been removed upstream (as redundant) instead of being fixed. For stable, fix the leak by only allowing access from the initial PID namespace. Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> --- --- a/kernel/time/timer_stats.c +++ b/kernel/time/timer_stats.c @@ -42,6 +42,7 @@ #include <linux/sched.h> #include <linux/seq_file.h> #include <linux/kallsyms.h> +#include <linux/pid_namespace.h> #include <asm/uaccess.h> @@ -394,6 +395,13 @@ static ssize_t tstats_write(struct file static int tstats_open(struct inode *inode, struct file *filp) { + /* + * We don't filter PIDs, so must only allow access from initial + * PID namespace. + */ + if (task_active_pid_ns(current) != &init_pid_ns) + return -EPERM; + return single_open(filp, tstats_show, NULL); }
Attachment:
signature.asc
Description: This is a digitally signed message part