* [gentoo-commits] gentoo-x86 commit in sys-kernel/pf-sources/files: 2100_proc-mem-handling-fix.patch
@ 2012-01-23 21:02 Markos Chandras (hwoarang)
0 siblings, 0 replies; 2+ messages in thread
From: Markos Chandras (hwoarang) @ 2012-01-23 21:02 UTC (permalink / raw
To: gentoo-commits
hwoarang 12/01/23 21:02:05
Added: 2100_proc-mem-handling-fix.patch
Log:
Apply fix from gentoo-sources for CVE-2012-0056 in 3.1 and 3.2 kernel series
(Portage version: 2.2.0_alpha84/cvs/Linux x86_64)
Revision Changes Path
1.1 sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch?rev=1.1&content-type=text/plain
Index: 2100_proc-mem-handling-fix.patch
===================================================================
From bd3d50227ece7d8234cdc5b3d3486ff90e92d545 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 20 Jan 2012 11:25:40 -0500
Subject: [PATCH] 3.2-stable patches
added patches:
proc-clean-up-and-fix-proc-pid-mem-handling.patch
---
...oc-clean-up-and-fix-proc-pid-mem-handling.patch | 269 ++++++++++++++++++++
queue-3.2/series | 1 +
2 files changed, 270 insertions(+), 0 deletions(-)
create mode 100644 queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
diff --git a/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch b/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
new file mode 100644
index 0000000..2acee07
--- /dev/null
+++ b/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
@@ -0,0 +1,269 @@
+From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 17 Jan 2012 15:21:19 -0800
+Subject: proc: clean up and fix /proc/<pid>/mem handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e268337dfe26dfc7efd422a804dbb27977a3cccc upstream.
+
+Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
+robust, and it also doesn't match the permission checking of any of the
+other related files.
+
+This changes it to do the permission checks at open time, and instead of
+tracking the process, it tracks the VM at the time of the open. That
+simplifies the code a lot, but does mean that if you hold the file
+descriptor open over an execve(), you'll continue to read from the _old_
+VM.
+
+That is different from our previous behavior, but much simpler. If
+somebody actually finds a load where this matters, we'll need to revert
+this commit.
+
+I suspect that nobody will ever notice - because the process mapping
+addresses will also have changed as part of the execve. So you cannot
+actually usefully access the fd across a VM change simply because all
+the offsets for IO would have changed too.
+
+Reported-by: Jüri Aedla <asd@ut.ee>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/base.c | 145 +++++++++++++++------------------------------------------
+ 1 file changed, 39 insertions(+), 106 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -194,65 +194,7 @@ static int proc_root_link(struct inode *
+ return result;
+ }
+
+-static struct mm_struct *__check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+-
+- mm = get_task_mm(task);
+- if (!mm)
+- return ERR_PTR(-EINVAL);
+-
+- /*
+- * A task can always look at itself, in case it chooses
+- * to use system calls instead of load instructions.
+- */
+- if (task == current)
+- return mm;
+-
+- /*
+- * If current is actively ptrace'ing, and would also be
+- * permitted to freshly attach with ptrace now, permit it.
+- */
+- if (task_is_stopped_or_traced(task)) {
+- int match;
+- rcu_read_lock();
+- match = (ptrace_parent(task) == current);
+- rcu_read_unlock();
+- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
+- return mm;
+- }
+-
+- /*
+- * No one else is allowed.
+- */
+- mmput(mm);
+- return ERR_PTR(-EPERM);
+-}
+-
+-/*
+- * If current may access user memory in @task return a reference to the
+- * corresponding mm, otherwise ERR_PTR.
+- */
+-static struct mm_struct *check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+- int err;
+-
+- /*
+- * Avoid racing if task exec's as we might get a new mm but validate
+- * against old credentials.
+- */
+- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+- if (err)
+- return ERR_PTR(err);
+-
+- mm = __check_mem_permission(task);
+- mutex_unlock(&task->signal->cred_guard_mutex);
+-
+- return mm;
+-}
+-
+-struct mm_struct *mm_for_maps(struct task_struct *task)
++static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+ {
+ struct mm_struct *mm;
+ int err;
+@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct tas
+
+ mm = get_task_mm(task);
+ if (mm && mm != current->mm &&
+- !ptrace_may_access(task, PTRACE_MODE_READ)) {
++ !ptrace_may_access(task, mode)) {
+ mmput(mm);
+ mm = ERR_PTR(-EACCES);
+ }
+@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct tas
+ return mm;
+ }
+
++struct mm_struct *mm_for_maps(struct task_struct *task)
++{
++ return mm_access(task, PTRACE_MODE_READ);
++}
++
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+ {
+ int res = 0;
+@@ -816,38 +763,39 @@ static const struct file_operations proc
+
+ static int mem_open(struct inode* inode, struct file* file)
+ {
+- file->private_data = (void*)((long)current->self_exec_id);
++ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ struct mm_struct *mm;
++
++ if (!task)
++ return -ESRCH;
++
++ mm = mm_access(task, PTRACE_MODE_ATTACH);
++ put_task_struct(task);
++
++ if (IS_ERR(mm))
++ return PTR_ERR(mm);
++
+ /* OK to pass negative loff_t, we can catch out-of-range */
+ file->f_mode |= FMODE_UNSIGNED_OFFSET;
++ file->private_data = mm;
++
+ return 0;
+ }
+
+ static ssize_t mem_read(struct file * file, char __user * buf,
+ size_t count, loff_t *ppos)
+ {
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ int ret;
+ char *page;
+ unsigned long src = *ppos;
+- int ret = -ESRCH;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- ret = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out;
+-
+- mm = check_mem_permission(task);
+- ret = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- ret = -EIO;
+-
+- if (file->private_data != (void*)((long)current->self_exec_id))
+- goto out_put;
++ return -ENOMEM;
+
+ ret = 0;
+
+@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * fi
+ }
+ *ppos = src;
+
+-out_put:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out:
+- put_task_struct(task);
+-out_no_task:
+ return ret;
+ }
+
+@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * f
+ {
+ int copied;
+ char *page;
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
+ unsigned long dst = *ppos;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- copied = -ESRCH;
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- copied = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out_task;
+-
+- mm = check_mem_permission(task);
+- copied = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- copied = -EIO;
+- if (file->private_data != (void *)((long)current->self_exec_id))
+- goto out_mm;
++ return -ENOMEM;
+
+ copied = 0;
+ while (count > 0) {
+@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * f
+ }
+ *ppos = dst;
+
+-out_mm:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out_task:
+- put_task_struct(task);
+-out_no_task:
+ return copied;
+ }
+
+@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff
+ return file->f_pos;
+ }
+
++static int mem_release(struct inode *inode, struct file *file)
++{
++ struct mm_struct *mm = file->private_data;
++
++ mmput(mm);
++ return 0;
++}
++
+ static const struct file_operations proc_mem_operations = {
+ .llseek = mem_lseek,
+ .read = mem_read,
+ .write = mem_write,
+ .open = mem_open,
++ .release = mem_release,
+ };
+
+ static ssize_t environ_read(struct file *file, char __user *buf,
^ permalink raw reply related [flat|nested] 2+ messages in thread* [gentoo-commits] gentoo-x86 commit in sys-kernel/pf-sources/files: 2100_proc-mem-handling-fix.patch
@ 2012-01-24 15:05 Alex Alexander (wired)
0 siblings, 0 replies; 2+ messages in thread
From: Alex Alexander (wired) @ 2012-01-24 15:05 UTC (permalink / raw
To: gentoo-commits
wired 12/01/24 15:05:15
Modified: 2100_proc-mem-handling-fix.patch
Log:
replaced bad proc-mem-handling-fix with correct one, removed it from 3.0.7 since it wouldn't apply cleanly. -r1 was still vulnerable.
(Portage version: 2.2.0_alpha84/cvs/Linux x86_64)
Revision Changes Path
1.2 sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch?r1=1.1&r2=1.2
Index: 2100_proc-mem-handling-fix.patch
===================================================================
RCS file: /var/cvsroot/gentoo-x86/sys-kernel/pf-sources/files/2100_proc-mem-handling-fix.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- 2100_proc-mem-handling-fix.patch 23 Jan 2012 21:02:05 -0000 1.1
+++ 2100_proc-mem-handling-fix.patch 24 Jan 2012 15:05:15 -0000 1.2
@@ -1,288 +1,270 @@
-From bd3d50227ece7d8234cdc5b3d3486ff90e92d545 Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@suse.de>
-Date: Fri, 20 Jan 2012 11:25:40 -0500
-Subject: [PATCH] 3.2-stable patches
+From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 17 Jan 2012 15:21:19 -0800
+Subject: proc: clean up and fix /proc/<pid>/mem handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e268337dfe26dfc7efd422a804dbb27977a3cccc upstream.
+
+Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
+robust, and it also doesn't match the permission checking of any of the
+other related files.
+
+This changes it to do the permission checks at open time, and instead of
+tracking the process, it tracks the VM at the time of the open. That
+simplifies the code a lot, but does mean that if you hold the file
+descriptor open over an execve(), you'll continue to read from the _old_
+VM.
+
+That is different from our previous behavior, but much simpler. If
+somebody actually finds a load where this matters, we'll need to revert
+this commit.
+
+I suspect that nobody will ever notice - because the process mapping
+addresses will also have changed as part of the execve. So you cannot
+actually usefully access the fd across a VM change simply because all
+the offsets for IO would have changed too.
+
+Reported-by: Jüri Aedla <asd@ut.ee>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-added patches:
- proc-clean-up-and-fix-proc-pid-mem-handling.patch
---
- ...oc-clean-up-and-fix-proc-pid-mem-handling.patch | 269 ++++++++++++++++++++
- queue-3.2/series | 1 +
- 2 files changed, 270 insertions(+), 0 deletions(-)
- create mode 100644 queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
+ fs/proc/base.c | 145 +++++++++++++++------------------------------------------
+ 1 file changed, 39 insertions(+), 106 deletions(-)
-diff --git a/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch b/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
-new file mode 100644
-index 0000000..2acee07
---- /dev/null
-+++ b/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
-@@ -0,0 +1,269 @@
-+From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001
-+From: Linus Torvalds <torvalds@linux-foundation.org>
-+Date: Tue, 17 Jan 2012 15:21:19 -0800
-+Subject: proc: clean up and fix /proc/<pid>/mem handling
-+MIME-Version: 1.0
-+Content-Type: text/plain; charset=UTF-8
-+Content-Transfer-Encoding: 8bit
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -194,65 +194,7 @@ static int proc_root_link(struct inode *
+ return result;
+ }
+
+-static struct mm_struct *__check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+-
+- mm = get_task_mm(task);
+- if (!mm)
+- return ERR_PTR(-EINVAL);
+-
+- /*
+- * A task can always look at itself, in case it chooses
+- * to use system calls instead of load instructions.
+- */
+- if (task == current)
+- return mm;
+-
+- /*
+- * If current is actively ptrace'ing, and would also be
+- * permitted to freshly attach with ptrace now, permit it.
+- */
+- if (task_is_stopped_or_traced(task)) {
+- int match;
+- rcu_read_lock();
+- match = (ptrace_parent(task) == current);
+- rcu_read_unlock();
+- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
+- return mm;
+- }
+-
+- /*
+- * No one else is allowed.
+- */
+- mmput(mm);
+- return ERR_PTR(-EPERM);
+-}
+-
+-/*
+- * If current may access user memory in @task return a reference to the
+- * corresponding mm, otherwise ERR_PTR.
+- */
+-static struct mm_struct *check_mem_permission(struct task_struct *task)
+-{
+- struct mm_struct *mm;
+- int err;
+-
+- /*
+- * Avoid racing if task exec's as we might get a new mm but validate
+- * against old credentials.
+- */
+- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+- if (err)
+- return ERR_PTR(err);
+-
+- mm = __check_mem_permission(task);
+- mutex_unlock(&task->signal->cred_guard_mutex);
+-
+- return mm;
+-}
+-
+-struct mm_struct *mm_for_maps(struct task_struct *task)
++static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+ {
+ struct mm_struct *mm;
+ int err;
+@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct tas
+
+ mm = get_task_mm(task);
+ if (mm && mm != current->mm &&
+- !ptrace_may_access(task, PTRACE_MODE_READ)) {
++ !ptrace_may_access(task, mode)) {
+ mmput(mm);
+ mm = ERR_PTR(-EACCES);
+ }
+@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct tas
+ return mm;
+ }
+
++struct mm_struct *mm_for_maps(struct task_struct *task)
++{
++ return mm_access(task, PTRACE_MODE_READ);
++}
+
-+From: Linus Torvalds <torvalds@linux-foundation.org>
+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+ {
+ int res = 0;
+@@ -816,38 +763,39 @@ static const struct file_operations proc
+
+ static int mem_open(struct inode* inode, struct file* file)
+ {
+- file->private_data = (void*)((long)current->self_exec_id);
++ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ struct mm_struct *mm;
+
-+commit e268337dfe26dfc7efd422a804dbb27977a3cccc upstream.
++ if (!task)
++ return -ESRCH;
+
-+Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
-+robust, and it also doesn't match the permission checking of any of the
-+other related files.
++ mm = mm_access(task, PTRACE_MODE_ATTACH);
++ put_task_struct(task);
+
-+This changes it to do the permission checks at open time, and instead of
-+tracking the process, it tracks the VM at the time of the open. That
-+simplifies the code a lot, but does mean that if you hold the file
-+descriptor open over an execve(), you'll continue to read from the _old_
-+VM.
++ if (IS_ERR(mm))
++ return PTR_ERR(mm);
+
-+That is different from our previous behavior, but much simpler. If
-+somebody actually finds a load where this matters, we'll need to revert
-+this commit.
+ /* OK to pass negative loff_t, we can catch out-of-range */
+ file->f_mode |= FMODE_UNSIGNED_OFFSET;
++ file->private_data = mm;
+
-+I suspect that nobody will ever notice - because the process mapping
-+addresses will also have changed as part of the execve. So you cannot
-+actually usefully access the fd across a VM change simply because all
-+the offsets for IO would have changed too.
+ return 0;
+ }
+
+ static ssize_t mem_read(struct file * file, char __user * buf,
+ size_t count, loff_t *ppos)
+ {
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++ int ret;
+ char *page;
+ unsigned long src = *ppos;
+- int ret = -ESRCH;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- ret = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out;
+-
+- mm = check_mem_permission(task);
+- ret = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- ret = -EIO;
+-
+- if (file->private_data != (void*)((long)current->self_exec_id))
+- goto out_put;
++ return -ENOMEM;
+
+ ret = 0;
+
+@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * fi
+ }
+ *ppos = src;
+
+-out_put:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out:
+- put_task_struct(task);
+-out_no_task:
+ return ret;
+ }
+
+@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * f
+ {
+ int copied;
+ char *page;
+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
+ unsigned long dst = *ppos;
+- struct mm_struct *mm;
++ struct mm_struct *mm = file->private_data;
+
+- copied = -ESRCH;
+- if (!task)
+- goto out_no_task;
++ if (!mm)
++ return 0;
+
+- copied = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+- goto out_task;
+-
+- mm = check_mem_permission(task);
+- copied = PTR_ERR(mm);
+- if (IS_ERR(mm))
+- goto out_free;
+-
+- copied = -EIO;
+- if (file->private_data != (void *)((long)current->self_exec_id))
+- goto out_mm;
++ return -ENOMEM;
+
+ copied = 0;
+ while (count > 0) {
+@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * f
+ }
+ *ppos = dst;
+
+-out_mm:
+- mmput(mm);
+-out_free:
+ free_page((unsigned long) page);
+-out_task:
+- put_task_struct(task);
+-out_no_task:
+ return copied;
+ }
+
+@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff
+ return file->f_pos;
+ }
+
++static int mem_release(struct inode *inode, struct file *file)
++{
++ struct mm_struct *mm = file->private_data;
+
-+Reported-by: Jüri Aedla <asd@ut.ee>
-+Cc: Al Viro <viro@zeniv.linux.org.uk>
-+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
++ mmput(mm);
++ return 0;
++}
+
-+---
-+ fs/proc/base.c | 145 +++++++++++++++------------------------------------------
-+ 1 file changed, 39 insertions(+), 106 deletions(-)
-+
-+--- a/fs/proc/base.c
-++++ b/fs/proc/base.c
-+@@ -194,65 +194,7 @@ static int proc_root_link(struct inode *
-+ return result;
-+ }
-+
-+-static struct mm_struct *__check_mem_permission(struct task_struct *task)
-+-{
-+- struct mm_struct *mm;
-+-
-+- mm = get_task_mm(task);
-+- if (!mm)
-+- return ERR_PTR(-EINVAL);
-+-
-+- /*
-+- * A task can always look at itself, in case it chooses
-+- * to use system calls instead of load instructions.
-+- */
-+- if (task == current)
-+- return mm;
-+-
-+- /*
-+- * If current is actively ptrace'ing, and would also be
-+- * permitted to freshly attach with ptrace now, permit it.
-+- */
-+- if (task_is_stopped_or_traced(task)) {
-+- int match;
-+- rcu_read_lock();
-+- match = (ptrace_parent(task) == current);
-+- rcu_read_unlock();
-+- if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
-+- return mm;
-+- }
-+-
-+- /*
-+- * No one else is allowed.
-+- */
-+- mmput(mm);
-+- return ERR_PTR(-EPERM);
-+-}
-+-
-+-/*
-+- * If current may access user memory in @task return a reference to the
-+- * corresponding mm, otherwise ERR_PTR.
-+- */
-+-static struct mm_struct *check_mem_permission(struct task_struct *task)
-+-{
-+- struct mm_struct *mm;
-+- int err;
-+-
-+- /*
-+- * Avoid racing if task exec's as we might get a new mm but validate
-+- * against old credentials.
-+- */
-+- err = mutex_lock_killable(&task->signal->cred_guard_mutex);
-+- if (err)
-+- return ERR_PTR(err);
-+-
-+- mm = __check_mem_permission(task);
-+- mutex_unlock(&task->signal->cred_guard_mutex);
-+-
-+- return mm;
-+-}
-+-
-+-struct mm_struct *mm_for_maps(struct task_struct *task)
-++static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
-+ {
-+ struct mm_struct *mm;
-+ int err;
-+@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct tas
-+
-+ mm = get_task_mm(task);
-+ if (mm && mm != current->mm &&
-+- !ptrace_may_access(task, PTRACE_MODE_READ)) {
-++ !ptrace_may_access(task, mode)) {
-+ mmput(mm);
-+ mm = ERR_PTR(-EACCES);
-+ }
-+@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct tas
-+ return mm;
-+ }
-+
-++struct mm_struct *mm_for_maps(struct task_struct *task)
-++{
-++ return mm_access(task, PTRACE_MODE_READ);
-++}
-++
-+ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
-+ {
-+ int res = 0;
-+@@ -816,38 +763,39 @@ static const struct file_operations proc
-+
-+ static int mem_open(struct inode* inode, struct file* file)
-+ {
-+- file->private_data = (void*)((long)current->self_exec_id);
-++ struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
-++ struct mm_struct *mm;
-++
-++ if (!task)
-++ return -ESRCH;
-++
-++ mm = mm_access(task, PTRACE_MODE_ATTACH);
-++ put_task_struct(task);
-++
-++ if (IS_ERR(mm))
-++ return PTR_ERR(mm);
-++
-+ /* OK to pass negative loff_t, we can catch out-of-range */
-+ file->f_mode |= FMODE_UNSIGNED_OFFSET;
-++ file->private_data = mm;
-++
-+ return 0;
-+ }
-+
-+ static ssize_t mem_read(struct file * file, char __user * buf,
-+ size_t count, loff_t *ppos)
-+ {
-+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
-++ int ret;
-+ char *page;
-+ unsigned long src = *ppos;
-+- int ret = -ESRCH;
-+- struct mm_struct *mm;
-++ struct mm_struct *mm = file->private_data;
-+
-+- if (!task)
-+- goto out_no_task;
-++ if (!mm)
-++ return 0;
-+
-+- ret = -ENOMEM;
-+ page = (char *)__get_free_page(GFP_TEMPORARY);
-+ if (!page)
-+- goto out;
-+-
-+- mm = check_mem_permission(task);
-+- ret = PTR_ERR(mm);
-+- if (IS_ERR(mm))
-+- goto out_free;
-+-
-+- ret = -EIO;
-+-
-+- if (file->private_data != (void*)((long)current->self_exec_id))
-+- goto out_put;
-++ return -ENOMEM;
-+
-+ ret = 0;
-+
-+@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * fi
-+ }
-+ *ppos = src;
-+
-+-out_put:
-+- mmput(mm);
-+-out_free:
-+ free_page((unsigned long) page);
-+-out:
-+- put_task_struct(task);
-+-out_no_task:
-+ return ret;
-+ }
-+
-+@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * f
-+ {
-+ int copied;
-+ char *page;
-+- struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
-+ unsigned long dst = *ppos;
-+- struct mm_struct *mm;
-++ struct mm_struct *mm = file->private_data;
-+
-+- copied = -ESRCH;
-+- if (!task)
-+- goto out_no_task;
-++ if (!mm)
-++ return 0;
-+
-+- copied = -ENOMEM;
-+ page = (char *)__get_free_page(GFP_TEMPORARY);
-+ if (!page)
-+- goto out_task;
-+-
-+- mm = check_mem_permission(task);
-+- copied = PTR_ERR(mm);
-+- if (IS_ERR(mm))
-+- goto out_free;
-+-
-+- copied = -EIO;
-+- if (file->private_data != (void *)((long)current->self_exec_id))
-+- goto out_mm;
-++ return -ENOMEM;
-+
-+ copied = 0;
-+ while (count > 0) {
-+@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * f
-+ }
-+ *ppos = dst;
-+
-+-out_mm:
-+- mmput(mm);
-+-out_free:
-+ free_page((unsigned long) page);
-+-out_task:
-+- put_task_struct(task);
-+-out_no_task:
-+ return copied;
-+ }
-+
-+@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff
-+ return file->f_pos;
-+ }
-+
-++static int mem_release(struct inode *inode, struct file *file)
-++{
-++ struct mm_struct *mm = file->private_data;
-++
-++ mmput(mm);
-++ return 0;
-++}
-++
-+ static const struct file_operations proc_mem_operations = {
-+ .llseek = mem_lseek,
-+ .read = mem_read,
-+ .write = mem_write,
-+ .open = mem_open,
-++ .release = mem_release,
-+ };
-+
-+ static ssize_t environ_read(struct file *file, char __user *buf,
+ static const struct file_operations proc_mem_operations = {
+ .llseek = mem_lseek,
+ .read = mem_read,
+ .write = mem_write,
+ .open = mem_open,
++ .release = mem_release,
+ };
+
+ static ssize_t environ_read(struct file *file, char __user *buf,
+
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-01-24 15:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-23 21:02 [gentoo-commits] gentoo-x86 commit in sys-kernel/pf-sources/files: 2100_proc-mem-handling-fix.patch Markos Chandras (hwoarang)
-- strict thread matches above, loose matches on Subject: below --
2012-01-24 15:05 Alex Alexander (wired)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox