From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from aserp1040.oracle.com ([141.146.126.69]:27753 "EHLO
	aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751940AbcF0XqW (ORCPT
	<rfc822;stable@vger.kernel.org>); Mon, 27 Jun 2016 19:46:22 -0400
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u5RNkLsF023445
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <stable@vger.kernel.org>; Mon, 27 Jun 2016 23:46:21 GMT
From: kenny.keslar@oracle.com
To: sasha.levin@oracle.com
Cc: Kenny Keslar <kenny.keslar@oracle.com>, stable@vger.kernel.org
Subject: [PATCH 4.1] fs/proc/task_mmu.c: fix mm_access() mode parameter in pagemap_read()
Date: Mon, 27 Jun 2016 18:46:09 -0500
Message-Id: <1467071169-26351-1-git-send-email-kenny.keslar@oracle.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Kenny Keslar <kenny.keslar@oracle.com>

Backport of caaee6234d05a58c5b4d05e7bf766131b810a657 ("ptrace: use fsuid,
fsgid, effective creds for fs access checks") failed to update the mode
parameter in the mm_access() call in pagemap_read() to have one of the
new PTRACE_MODE_*CREDS flags.

Attempting to read any other process' pagemap results in a WARN()

WARNING: CPU: 0 PID: 883 at kernel/ptrace.c:229 __ptrace_may_access+0x14a/0x160()
denying ptrace access check without PTRACE_MODE_*CREDS
Modules linked in: loop sg e1000 i2c_piix4 ppdev virtio_balloon virtio_pci parport_pc i2c_core virtio_ring ata_generic serio_raw pata_acpi virtio parport pcspkr floppy acpi_cpufreq ip_tables ext3 mbcache jbd sd_mod ata_piix crc32c_intel libata
CPU: 0 PID: 883 Comm: cat Tainted: G        W       4.1.12-51.el7uek.x86_64 #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
 0000000000000286 00000000619f225a ffff88003b6fbc18 ffffffff81717021
 ffff88003b6fbc70 ffffffff819be870 ffff88003b6fbc58 ffffffff8108477a
 000000003b6fbc58 0000000000000001 ffff88003d287000 0000000000000001
Call Trace:
 [<ffffffff81717021>] dump_stack+0x63/0x81
 [<ffffffff8108477a>] warn_slowpath_common+0x8a/0xc0
 [<ffffffff81084805>] warn_slowpath_fmt+0x55/0x70
 [<ffffffff8108e57a>] __ptrace_may_access+0x14a/0x160
 [<ffffffff8108f372>] ptrace_may_access+0x32/0x50
 [<ffffffff81081bad>] mm_access+0x6d/0xb0
 [<ffffffff81278c81>] pagemap_read+0xe1/0x360
 [<ffffffff811a046b>] ? lru_cache_add_active_or_unevictable+0x2b/0xa0
 [<ffffffff8120d2e7>] __vfs_read+0x37/0x100
 [<ffffffff812b9ab4>] ? security_file_permission+0x84/0xa0
 [<ffffffff8120d8b6>] ? rw_verify_area+0x56/0xe0
 [<ffffffff8120d9c6>] vfs_read+0x86/0x140
 [<ffffffff8120e945>] SyS_read+0x55/0xd0
 [<ffffffff8171eb6e>] system_call_fastpath+0x12/0x71

Fixes: ab88ce5feca4 (ptrace: use fsuid, fsgid, effective creds for fs access checks)
Signed-off-by: Kenny Keslar <kenny.keslar@oracle.com>
Cc: stable@vger.kernel.org
Cc: sasha.levin@oracle.com
---
 fs/proc/task_mmu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 6dee68d013ff..32287fb146db 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -1257,7 +1257,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
 	if (!pm.buffer)
 		goto out_task;
 
-	mm = mm_access(task, PTRACE_MODE_READ);
+	mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
 	ret = PTR_ERR(mm);
 	if (!mm || IS_ERR(mm))
 		goto out_free;
-- 
2.5.0