[gentoo-commits] linux-patches r2064 - genpatches-2.6/trunk/3.1

["Mike Pagano (mpagano)" <mpagano@gentoo.org>]

Author: mpagano
Date: 2012-01-23 21:32:47 +0000 (Mon, 23 Jan 2012)
New Revision: 2064

Added:
   genpatches-2.6/trunk/3.1/2100_proc-mem-handling-fix.patch
Modified:
   genpatches-2.6/trunk/3.1/0000_README
Log:
Clean up and fix /proc/<pid>/mem handling, prevent local privilege escalation

Modified: genpatches-2.6/trunk/3.1/0000_README
===================================================================
--- genpatches-2.6/trunk/3.1/0000_README	2012-01-23 20:59:28 UTC (rev 2063)
+++ genpatches-2.6/trunk/3.1/0000_README	2012-01-23 21:32:47 UTC (rev 2064)
@@ -79,6 +79,10 @@
 From:   http://www.kernel.org
 Desc:   Linux 3.1.10
 
+Patch:  2100_proc-mem-handling-fix.patch
+From:   http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
+Desc:   Clean up and fix /proc/<pid>/mem handling, prevent local privilege escalation
+
 Patch:  2400_pci-enable-msi-failure-fix.patch
 From:   http://bugs.gentoo.org/show_bug.cgi?id=389215
 Desc:   Continue the init process after pci_enable_msi failure

Added: genpatches-2.6/trunk/3.1/2100_proc-mem-handling-fix.patch
===================================================================
--- genpatches-2.6/trunk/3.1/2100_proc-mem-handling-fix.patch	                        (rev 0)
+++ genpatches-2.6/trunk/3.1/2100_proc-mem-handling-fix.patch	2012-01-23 21:32:47 UTC (rev 2064)
@@ -0,0 +1,288 @@
+From bd3d50227ece7d8234cdc5b3d3486ff90e92d545 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Fri, 20 Jan 2012 11:25:40 -0500
+Subject: [PATCH] 3.2-stable patches
+
+added patches:
+    proc-clean-up-and-fix-proc-pid-mem-handling.patch
+---
+ ...oc-clean-up-and-fix-proc-pid-mem-handling.patch |  269 ++++++++++++++++++++
+ queue-3.2/series                                   |    1 +
+ 2 files changed, 270 insertions(+), 0 deletions(-)
+ create mode 100644 queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
+
+diff --git a/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch b/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
+new file mode 100644
+index 0000000..2acee07
+--- /dev/null
++++ b/queue-3.2/proc-clean-up-and-fix-proc-pid-mem-handling.patch
+@@ -0,0 +1,269 @@
++From e268337dfe26dfc7efd422a804dbb27977a3cccc Mon Sep 17 00:00:00 2001
++From: Linus Torvalds <torvalds@linux-foundation.org>
++Date: Tue, 17 Jan 2012 15:21:19 -0800
++Subject: proc: clean up and fix /proc/<pid>/mem handling
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++From: Linus Torvalds <torvalds@linux-foundation.org>
++
++commit e268337dfe26dfc7efd422a804dbb27977a3cccc upstream.
++
++Jüri Aedla reported that the /proc/<pid>/mem handling really isn't very
++robust, and it also doesn't match the permission checking of any of the
++other related files.
++
++This changes it to do the permission checks at open time, and instead of
++tracking the process, it tracks the VM at the time of the open.  That
++simplifies the code a lot, but does mean that if you hold the file
++descriptor open over an execve(), you'll continue to read from the _old_
++VM.
++
++That is different from our previous behavior, but much simpler.  If
++somebody actually finds a load where this matters, we'll need to revert
++this commit.
++
++I suspect that nobody will ever notice - because the process mapping
++addresses will also have changed as part of the execve.  So you cannot
++actually usefully access the fd across a VM change simply because all
++the offsets for IO would have changed too.
++
++Reported-by: Jüri Aedla <asd@ut.ee>
++Cc: Al Viro <viro@zeniv.linux.org.uk>
++Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
++Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
++
++---
++ fs/proc/base.c |  145 +++++++++++++++------------------------------------------
++ 1 file changed, 39 insertions(+), 106 deletions(-)
++
++--- a/fs/proc/base.c
+++++ b/fs/proc/base.c
++@@ -194,65 +194,7 @@ static int proc_root_link(struct inode *
++   return result;
++ }
++ 
++-static struct mm_struct *__check_mem_permission(struct task_struct *task)
++-{
++-  struct mm_struct *mm;
++-
++-  mm = get_task_mm(task);
++-  if (!mm)
++-      return ERR_PTR(-EINVAL);
++-
++-  /*
++-   * A task can always look at itself, in case it chooses
++-   * to use system calls instead of load instructions.
++-   */
++-  if (task == current)
++-      return mm;
++-
++-  /*
++-   * If current is actively ptrace'ing, and would also be
++-   * permitted to freshly attach with ptrace now, permit it.
++-   */
++-  if (task_is_stopped_or_traced(task)) {
++-      int match;
++-      rcu_read_lock();
++-      match = (ptrace_parent(task) == current);
++-      rcu_read_unlock();
++-      if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
++-          return mm;
++-  }
++-
++-  /*
++-   * No one else is allowed.
++-   */
++-  mmput(mm);
++-  return ERR_PTR(-EPERM);
++-}
++-
++-/*
++- * If current may access user memory in @task return a reference to the
++- * corresponding mm, otherwise ERR_PTR.
++- */
++-static struct mm_struct *check_mem_permission(struct task_struct *task)
++-{
++-  struct mm_struct *mm;
++-  int err;
++-
++-  /*
++-   * Avoid racing if task exec's as we might get a new mm but validate
++-   * against old credentials.
++-   */
++-  err = mutex_lock_killable(&task->signal->cred_guard_mutex);
++-  if (err)
++-      return ERR_PTR(err);
++-
++-  mm = __check_mem_permission(task);
++-  mutex_unlock(&task->signal->cred_guard_mutex);
++-
++-  return mm;
++-}
++-
++-struct mm_struct *mm_for_maps(struct task_struct *task)
+++static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
++ {
++   struct mm_struct *mm;
++   int err;
++@@ -263,7 +205,7 @@ struct mm_struct *mm_for_maps(struct tas
++ 
++   mm = get_task_mm(task);
++   if (mm && mm != current->mm &&
++-          !ptrace_may_access(task, PTRACE_MODE_READ)) {
+++          !ptrace_may_access(task, mode)) {
++       mmput(mm);
++       mm = ERR_PTR(-EACCES);
++   }
++@@ -272,6 +214,11 @@ struct mm_struct *mm_for_maps(struct tas
++   return mm;
++ }
++ 
+++struct mm_struct *mm_for_maps(struct task_struct *task)
+++{
+++  return mm_access(task, PTRACE_MODE_READ);
+++}
+++
++ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
++ {
++   int res = 0;
++@@ -816,38 +763,39 @@ static const struct file_operations proc
++ 
++ static int mem_open(struct inode* inode, struct file* file)
++ {
++-  file->private_data = (void*)((long)current->self_exec_id);
+++  struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
+++  struct mm_struct *mm;
+++
+++  if (!task)
+++      return -ESRCH;
+++
+++  mm = mm_access(task, PTRACE_MODE_ATTACH);
+++  put_task_struct(task);
+++
+++  if (IS_ERR(mm))
+++      return PTR_ERR(mm);
+++
++   /* OK to pass negative loff_t, we can catch out-of-range */
++   file->f_mode |= FMODE_UNSIGNED_OFFSET;
+++  file->private_data = mm;
+++
++   return 0;
++ }
++ 
++ static ssize_t mem_read(struct file * file, char __user * buf,
++           size_t count, loff_t *ppos)
++ {
++-  struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
+++  int ret;
++   char *page;
++   unsigned long src = *ppos;
++-  int ret = -ESRCH;
++-  struct mm_struct *mm;
+++  struct mm_struct *mm = file->private_data;
++ 
++-  if (!task)
++-      goto out_no_task;
+++  if (!mm)
+++      return 0;
++ 
++-  ret = -ENOMEM;
++   page = (char *)__get_free_page(GFP_TEMPORARY);
++   if (!page)
++-      goto out;
++-
++-  mm = check_mem_permission(task);
++-  ret = PTR_ERR(mm);
++-  if (IS_ERR(mm))
++-      goto out_free;
++-
++-  ret = -EIO;
++- 
++-  if (file->private_data != (void*)((long)current->self_exec_id))
++-      goto out_put;
+++      return -ENOMEM;
++ 
++   ret = 0;
++  
++@@ -874,13 +822,7 @@ static ssize_t mem_read(struct file * fi
++   }
++   *ppos = src;
++ 
++-out_put:
++-  mmput(mm);
++-out_free:
++   free_page((unsigned long) page);
++-out:
++-  put_task_struct(task);
++-out_no_task:
++   return ret;
++ }
++ 
++@@ -889,27 +831,15 @@ static ssize_t mem_write(struct file * f
++ {
++   int copied;
++   char *page;
++-  struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
++   unsigned long dst = *ppos;
++-  struct mm_struct *mm;
+++  struct mm_struct *mm = file->private_data;
++ 
++-  copied = -ESRCH;
++-  if (!task)
++-      goto out_no_task;
+++  if (!mm)
+++      return 0;
++ 
++-  copied = -ENOMEM;
++   page = (char *)__get_free_page(GFP_TEMPORARY);
++   if (!page)
++-      goto out_task;
++-
++-  mm = check_mem_permission(task);
++-  copied = PTR_ERR(mm);
++-  if (IS_ERR(mm))
++-      goto out_free;
++-
++-  copied = -EIO;
++-  if (file->private_data != (void *)((long)current->self_exec_id))
++-      goto out_mm;
+++      return -ENOMEM;
++ 
++   copied = 0;
++   while (count > 0) {
++@@ -933,13 +863,7 @@ static ssize_t mem_write(struct file * f
++   }
++   *ppos = dst;
++ 
++-out_mm:
++-  mmput(mm);
++-out_free:
++   free_page((unsigned long) page);
++-out_task:
++-  put_task_struct(task);
++-out_no_task:
++   return copied;
++ }
++ 
++@@ -959,11 +883,20 @@ loff_t mem_lseek(struct file *file, loff
++   return file->f_pos;
++ }
++ 
+++static int mem_release(struct inode *inode, struct file *file)
+++{
+++  struct mm_struct *mm = file->private_data;
+++
+++  mmput(mm);
+++  return 0;
+++}
+++
++ static const struct file_operations proc_mem_operations = {
++   .llseek     = mem_lseek,
++   .read       = mem_read,
++   .write      = mem_write,
++   .open       = mem_open,
+++  .release    = mem_release,
++ };
++ 
++ static ssize_t environ_read(struct file *file, char __user *buf,