From: Vasiliy Kulikov <segoon@openwall.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
viro@zeniv.linux.org.uk, rientjes@google.com, wilsons@start.ca,
security@kernel.org, kernel-hardening@lists.openwall.com
Subject: [PATCH v2] proc: fix a race in do_io_accounting()
Date: Tue, 5 Jul 2011 00:13:39 +0400 [thread overview]
Message-ID: <20110704201339.GA5645@albatros> (raw)
In-Reply-To: <CA+55aFwfr-oAa-2L9O_rd9iZDyVr0b+gFQS=_R5PUxmhh3JEsg@mail.gmail.com>
There is a ptrace_may_access() check in do_io_accounting() to prevent
gathering information of setuid'ed and similar binaries. However, there
is a race against execve(). Holding task->signal->cred_guard_mutex
while gathering the information should protect against the race.
The order of locking is similar to the one inside of
ptrace_attach(): first goes cred_guard_mutex, then lock_task_sighand().
v2 - use mutex_lock_killable() instead of mutex_lock().
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: stable@kernel.org
---
fs/proc/base.c | 16 +++++++++++++---
1 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 083a4f2..4b9f159 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2711,9 +2711,16 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
{
struct task_io_accounting acct = task->ioac;
unsigned long flags;
+ int result;
- if (!ptrace_may_access(task, PTRACE_MODE_READ))
- return -EACCES;
+ result = mutex_lock_killable(&task->signal->cred_guard_mutex);
+ if (result)
+ return result;
+
+ if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
+ result = -EACCES;
+ goto out_unlock;
+ }
if (whole && lock_task_sighand(task, &flags)) {
struct task_struct *t = task;
@@ -2724,7 +2731,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
unlock_task_sighand(task, &flags);
}
- return sprintf(buffer,
+ result = sprintf(buffer,
"rchar: %llu\n"
"wchar: %llu\n"
"syscr: %llu\n"
@@ -2739,6 +2746,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
(unsigned long long)acct.read_bytes,
(unsigned long long)acct.write_bytes,
(unsigned long long)acct.cancelled_write_bytes);
+out_unlock:
+ mutex_unlock(&task->signal->cred_guard_mutex);
+ return result;
}
static int proc_tid_io_accounting(struct task_struct *task, char *buffer)
--
1.7.0.4
next prev parent reply other threads:[~2011-07-04 20:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-03 10:39 [PATCH] proc: fix a race in do_io_accounting() Vasiliy Kulikov
2011-07-03 19:24 ` Linus Torvalds
2011-07-03 20:01 ` Vasiliy Kulikov
2011-07-04 20:13 ` Vasiliy Kulikov [this message]
2011-07-05 21:13 ` [PATCH v2] " Andrew Morton
2011-07-06 16:34 ` [PATCH v3] " Vasiliy Kulikov
2011-07-15 6:38 ` Vasiliy Kulikov
2011-07-15 16:14 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110704201339.GA5645@albatros \
--to=segoon@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rientjes@google.com \
--cc=security@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wilsons@start.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox