From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Hugh Dickins <hugh@veritas.com>
Subject: [patch 35/58] fix setuid sometimes wouldnt
Date: Wed, 06 May 2009 14:46:03 -0700 [thread overview]
Message-ID: <20090506214800.136205337@mini.kroah.org> (raw)
In-Reply-To: <20090506215017.GA21981@kroah.com>
[-- Attachment #1: fix-setuid-sometimes-wouldn-t.patch --]
[-- Type: text/plain, Size: 3567 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Hugh Dickins <hugh@veritas.com>
commit 7c2c7d993044cddc5010f6f429b100c63bc7dffb upstream.
check_unsafe_exec() also notes whether the fs_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/cwd and /proc/<pid>/root lookups make transient
use of get_fs_struct(), which also raises that sharing count.
This might occasionally cause a setuid program not to change euid,
in the same way as happened with files->count (check_unsafe_exec
also looks at sighand->count, but /proc doesn't raise that one).
We'd prefer exec not to unshare fs_struct: so fix this in procfs,
replacing get_fs_struct() by get_fs_path(), which does path_get
while still holding task_lock, instead of raising fs->count.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/proc/base.c | 50 ++++++++++++++++----------------------------------
1 file changed, 16 insertions(+), 34 deletions(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -146,15 +146,22 @@ static unsigned int pid_entry_count_dirs
return count;
}
-static struct fs_struct *get_fs_struct(struct task_struct *task)
+static int get_fs_path(struct task_struct *task, struct path *path, bool root)
{
struct fs_struct *fs;
+ int result = -ENOENT;
+
task_lock(task);
fs = task->fs;
- if(fs)
- atomic_inc(&fs->count);
+ if (fs) {
+ read_lock(&fs->lock);
+ *path = root ? fs->root : fs->pwd;
+ path_get(path);
+ read_unlock(&fs->lock);
+ result = 0;
+ }
task_unlock(task);
- return fs;
+ return result;
}
static int get_nr_threads(struct task_struct *tsk)
@@ -172,42 +179,24 @@ static int get_nr_threads(struct task_st
static int proc_cwd_link(struct inode *inode, struct path *path)
{
struct task_struct *task = get_proc_task(inode);
- struct fs_struct *fs = NULL;
int result = -ENOENT;
if (task) {
- fs = get_fs_struct(task);
+ result = get_fs_path(task, path, 0);
put_task_struct(task);
}
- if (fs) {
- read_lock(&fs->lock);
- *path = fs->pwd;
- path_get(&fs->pwd);
- read_unlock(&fs->lock);
- result = 0;
- put_fs_struct(fs);
- }
return result;
}
static int proc_root_link(struct inode *inode, struct path *path)
{
struct task_struct *task = get_proc_task(inode);
- struct fs_struct *fs = NULL;
int result = -ENOENT;
if (task) {
- fs = get_fs_struct(task);
+ result = get_fs_path(task, path, 1);
put_task_struct(task);
}
- if (fs) {
- read_lock(&fs->lock);
- *path = fs->root;
- path_get(&fs->root);
- read_unlock(&fs->lock);
- result = 0;
- put_fs_struct(fs);
- }
return result;
}
@@ -596,7 +585,6 @@ static int mounts_open_common(struct ino
struct task_struct *task = get_proc_task(inode);
struct nsproxy *nsp;
struct mnt_namespace *ns = NULL;
- struct fs_struct *fs = NULL;
struct path root;
struct proc_mounts *p;
int ret = -EINVAL;
@@ -610,22 +598,16 @@ static int mounts_open_common(struct ino
get_mnt_ns(ns);
}
rcu_read_unlock();
- if (ns)
- fs = get_fs_struct(task);
+ if (ns && get_fs_path(task, &root, 1) == 0)
+ ret = 0;
put_task_struct(task);
}
if (!ns)
goto err;
- if (!fs)
+ if (ret)
goto err_put_ns;
- read_lock(&fs->lock);
- root = fs->root;
- path_get(&root);
- read_unlock(&fs->lock);
- put_fs_struct(fs);
-
ret = -ENOMEM;
p = kmalloc(sizeof(struct proc_mounts), GFP_KERNEL);
if (!p)
next prev parent reply other threads:[~2009-05-06 22:09 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090506214528.660389067@mini.kroah.org>
2009-05-06 21:50 ` [patch 00/58] 2.6.29.3-stable review Greg KH
2009-05-06 21:45 ` [patch 01/58] forcedeth: Fix resume from hibernation regression Greg KH
2009-05-06 21:45 ` [patch 02/58] mac80211: Fix bug in getting rx status for frames pending in reorder buffer Greg KH
2009-05-06 21:45 ` [patch 03/58] b43: Poison RX buffers Greg KH
2009-05-06 21:45 ` [patch 04/58] b43: Refresh RX poison on buffer recycling Greg KH
2009-05-06 21:45 ` [patch 05/58] thinkpad-acpi: fix LED blinking through timer trigger Greg KH
2009-05-06 21:45 ` [patch 06/58] ALSA: us122l: add snd_us122l_free() Greg KH
2009-05-06 21:45 ` [patch 07/58] mac80211: fix basic rate bitmap calculation Greg KH
2009-05-06 21:45 ` [patch 08/58] KVM: MMU: Fix off-by-one calculating large page count Greg KH
2009-05-06 21:45 ` [patch 09/58] KVM: MMU: disable global page optimization Greg KH
2009-05-06 21:45 ` [patch 10/58] KVM: Fix overlapping check for memory slots Greg KH
2009-05-06 21:45 ` [patch 11/58] KVM: x86: release time_page on vcpu destruction Greg KH
2009-05-06 21:45 ` [patch 12/58] USB: Unusual Device support for Gold MP3 Player Energy Greg KH
2009-05-06 21:45 ` [patch 13/58] virtio-rng: Remove false BUG for spurious callbacks Greg KH
2009-05-06 21:45 ` [patch 14/58] b44: Use kernel DMA addresses for the kernel DMA API Greg KH
2009-05-06 21:45 ` [patch 15/58] block: include empty disks in /proc/diskstats Greg KH
2009-05-06 21:45 ` [patch 16/58] crypto: ixp4xx - Fix handling of chained sg buffers Greg KH
2009-05-06 21:45 ` [patch 17/58] exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337) Greg KH
2009-05-06 21:45 ` [patch 18/58] PCI: fix incorrect mask of PM No_Soft_Reset bit Greg KH
2009-05-06 21:45 ` [patch 19/58] unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184) Greg KH
2009-05-06 21:45 ` [patch 20/58] drm/i915: add support for G41 chipset Greg KH
2009-05-06 21:45 ` [patch 21/58] x86-64: fix FPU corruption with signals and preemption Greg KH
2009-05-06 21:45 ` [patch 22/58] x86/PCI: dont call e820_all_mapped with -1 in the mmconfig case Greg KH
2009-05-06 21:45 ` [patch 23/58] ASoC: Fix offset of freqmode in WM8580 PLL configuration Greg KH
2009-05-06 21:45 ` [patch 24/58] PCI quirk: disable MSI on VIA VT3364 chipsets Greg KH
2009-05-06 21:45 ` [patch 25/58] bio: fix memcpy corruption in bio_copy_user_iov() Greg KH
2009-05-06 21:45 ` [patch 26/58] drm/i915: allow tiled front buffers on 965+ Greg KH
2009-05-06 21:45 ` [patch 27/58] pagemap: require aligned-length, non-null reads of /proc/pid/pagemap Greg KH
2009-05-06 21:45 ` [patch 28/58] kbuild: fix Module.markers permission error under cygwin Greg KH
2009-05-06 21:45 ` [patch 29/58] ptrace: ptrace_attach: fix the usage of ->cred_exec_mutex Greg KH
2009-05-06 21:45 ` [patch 30/58] USB: serial: fix lifetime and locking problems Greg KH
2009-05-06 21:45 ` [patch 31/58] ACPI: Revert conflicting workaround for BIOS w/ mangled PRT entries Greg KH
2009-05-06 21:46 ` [patch 32/58] powerpc: Sanitize stack pointer in signal handling code Greg KH
2009-05-06 21:46 ` [patch 33/58] compat_do_execve should unshare_files Greg KH
2009-05-06 21:46 ` [patch 34/58] fix setuid sometimes doesnt Greg KH
2009-05-06 21:46 ` Greg KH [this message]
2009-05-06 21:46 ` [patch 36/58] Annotate struct fs_structs usage count restriction Greg KH
2009-05-06 21:46 ` [patch 37/58] Kill unsharing fs_struct in __set_personality() Greg KH
2009-05-06 21:46 ` [patch 38/58] Get rid of bumping fs_struct refcount in pivot_root(2) Greg KH
2009-05-06 21:46 ` [patch 39/58] Take fs_struct handling to new file (fs/fs_struct.c) Greg KH
2009-05-06 21:46 ` [patch 40/58] New locking/refcounting for fs_struct Greg KH
2009-05-06 21:46 ` [patch 41/58] check_unsafe_exec() doesnt care about signal handlers sharing Greg KH
2009-05-06 21:46 ` [patch 42/58] do_execve() must not clear fs->in_exec if it was set by another thread Greg KH
2009-05-06 21:46 ` [patch 43/58] check_unsafe_exec: s/lock_task_sighand/rcu_read_lock/ Greg KH
2009-05-06 21:46 ` [patch 44/58] mv643xx_eth: 64bit mib counter read fix Greg KH
2009-05-06 21:46 ` [patch 45/58] mv643xx_eth: OOM handling fixes Greg KH
2009-05-06 21:46 ` [patch 46/58] ath5k: fix buffer overrun in rate debug code Greg KH
2009-05-06 21:46 ` [patch 47/58] proc: avoid information leaks to non-privileged processes Greg KH
2009-05-06 21:46 ` [patch 48/58] cs5536: define dma_sff_read_status() method Greg KH
2009-05-06 21:46 ` [patch 49/58] intel-iommu: Fix device-to-iommu mapping for PCI-PCI bridges Greg KH
2009-05-06 21:46 ` [patch 50/58] intel-iommu: Fix oops in device_to_iommu() when devices not found Greg KH
2009-05-06 21:46 ` [patch 51/58] intel-iommu: Avoid panic() for DRHD at address zero Greg KH
2009-05-06 21:46 ` [patch 52/58] clockevents: prevent endless loop in tick_handle_periodic() Greg KH
2009-05-06 21:46 ` [patch 53/58] Ignore madvise(MADV_WILLNEED) for hugetlbfs-backed regions Greg KH
2009-05-06 21:46 ` [patch 54/58] mm: fix Committed_AS underflow on large NR_CPUS environment Greg KH
2009-05-06 21:46 ` [patch 55/58] rndis_wlan: fix initialization order for workqueue&workers Greg KH
2009-05-06 21:46 ` [patch 56/58] sched: account system time properly Greg KH
2009-05-06 21:46 ` [patch 57/58] tracing: x86, mmiotrace: fix range test Greg KH
2009-05-06 22:12 ` Steven Rostedt
2009-05-06 21:46 ` [patch 58/58] ath9k: Fix FIF_BCN_PRBRESP_PROMISC handling Greg KH
2009-05-07 0:58 ` [patch 00/58] 2.6.29.3-stable review Stefan Lippers-Hollmann
2009-05-07 1:26 ` Greg KH
2009-05-07 17:23 ` Chris Frey
2009-05-07 17:49 ` Steve French
2009-05-07 22:13 ` Greg KH
2009-05-08 4:33 ` Suresh Jayaraman
2009-05-08 5:13 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090506214800.136205337@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=hugh@veritas.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox