git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Vasiliy Kulikov <segoon@openwall.com>
	Wed, 5 Oct 2011 00:43:52 +0000 (11:43 +1100)
committer	Stephen Rothwell <sfr@canb.auug.org.au>
	Wed, 5 Oct 2011 07:56:09 +0000 (18:56 +1100)
commit	071541429a4128c0d6e84cb82959925c88afb386
tree	69ac3a78701317f199e14d29cc466f45fd7068dc	tree \| snapshot
parent	ac35a22b360ef890d8f7e6db1d0183b722a33079	commit \| diff

proc: fix races against execve() of /proc/PID/fd**

fd* files are restricted to the task's owner, and other users may not get
direct access to them.  But one may open any of these files and run any
setuid program, keeping opened file descriptors.  As there are permission
checks on open(), but not on readdir() and read(), operations on the kept
file descriptors will not be checked.  It makes it possible to violate
procfs permission model.

Reading fdinfo/* may disclosure current fds' position and flags, reading
directory contents of fdinfo/ and fd/ may disclosure the number of opened
files by the target task.  This information is not sensible per se, but it
can reveal some private information (like length of a password stored in a
file) under certain conditions.

Used existing (un)lock_trace functions to check for ptrace_may_access(),
but instead of using EPERM return code from it use EACCES to be consistent
with existing proc_pid_follow_link()/proc_pid_readlink() return code.  If
they differ, attacker can guess what fds exist by analyzing stat() return
code.  Patched handlers: stat() for fd/*, stat() and read() for fdindo/*,
readdir() and lookup() for fd/ and fdinfo/.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>