[kernel-hardening] Re: [PATCH v3] proc: fix a race in do_io_accounting()

[Vasiliy Kulikov <segoon@openwall.com>]

Hi Linus,

On Wed, Jul 06, 2011 at 20:34 +0400, Vasiliy Kulikov wrote:
> If inode's mode permits to open /proc/PID/io and the resulted file
> descriptor is kept across execve() of setuid or similar binary, the
> ptrace_may_access() check tries to prevent using this fd against the
> task with escalated privileges.  Unfortunately, there is a race of the
> check against execve().  If execve() is processed after the ptrace
> check, but before the actual io information gathering, io statistics
> will be gathered from the privileged process.  At least in theory this
> might lead to gathering sensible information (like ssh/ftp password
> length) that wouldn't be available otherwise.
> 
> Holding task->signal->cred_guard_mutex while gathering the io
> information should protect against the race.
> 
> The order of locking is similar to the one inside of
> ptrace_attach(): first goes cred_guard_mutex, then lock_task_sighand().

Any problems with the patch?

> v3 - better description.
> v2 - use mutex_lock_killable() instead of mutex_lock().
> 
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> Cc: stable@kernel.org
> ---
>  fs/proc/base.c |   16 +++++++++++++---
>  1 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 083a4f2..4b9f159 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2711,9 +2711,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
>  {
>  	struct task_io_accounting acct = task->ioac;
>  	unsigned long flags;
> +	int result;
>  
> -	if (!ptrace_may_access(task, PTRACE_MODE_READ))
> -		return -EACCES;
> +	result = mutex_lock_killable(&task->signal->cred_guard_mutex);
> +	if (result)
> +		return result;
> +
> +	if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
> +		result = -EACCES;
> +		goto out_unlock;
> +	}
>  
>  	if (whole && lock_task_sighand(task, &flags)) {
>  		struct task_struct *t = task;
> @@ -2724,7 +2731,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
>  
>  		unlock_task_sighand(task, &flags);
>  	}
> -	return sprintf(buffer,
> +	result = sprintf(buffer,
>  			"rchar: %llu\n"
>  			"wchar: %llu\n"
>  			"syscr: %llu\n"
> @@ -2739,6 +2746,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
>  			(unsigned long long)acct.read_bytes,
>  			(unsigned long long)acct.write_bytes,
>  			(unsigned long long)acct.cancelled_write_bytes);
> +out_unlock:
> +	mutex_unlock(&task->signal->cred_guard_mutex);
> +	return result;
>  }
>  
>  static int proc_tid_io_accounting(struct task_struct *task, char *buffer)
> -- 
> 1.7.0.4
> 

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments