Re: [PATCH] fix mm_access bug in pagemap

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: [PATCH] fix mm_access bug in pagemap_read
       [not found] <20160802192653.GA2953@zipoli.ccur.com>
@ 2016-08-02 21:40 ` Jann Horn
       [not found]   ` <20160803185830.GA26952@zipoli.ccur.com>
  0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2016-08-02 21:40 UTC (permalink / raw)
  To: Joe Korty; +Cc: stable, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1675 bytes --]

On Tue, Aug 02, 2016 at 03:26:53PM -0400, Joe Korty wrote:
> Hi Jann,
> The following linux-4.1.y git commit, y > 17,
> 
>     Commit caaee6234d05a58c5b4d05e7bf766131b810a657
>     Author: Jann Horn <jann@thejh.net>
>     Date:   Wed Jan 20 15:00:04 2016 -0800
> 
>     ptrace: use fsuid, fsgid, effective creds for fs access checks
> 
> broke linux-4.1.y with the following oops, repeated forever.

>    [   81.122531] ------------[ cut here ]------------
>    [   81.127161] WARNING: CPU: 6 PID: 5553 at kernel/ptrace.c:248 __ptrace_may_access+0x18a/0x1a0()
>    [   81.135780] denying ptrace access check without PTRACE_MODE_*CREDS

(Nit: That's just a warning, not an oops - it blocks access, but
doesn't kill the calling process. But still not good, of course.)


> The problem is that the above git commit missed one mm_access call
> that needed converting.  In this patch, we convert PTRACE_MODE_READ
> to PTRACE_MODE_READ_FSCREDS as that seems more correct for pagemap_read
> than PTRACE_MODE_READ_REALCREDS.

Yup, PTRACE_MODE_READ_FSCREDS is appropriate here.


> There may be stable releases other than linux-4.1.y that need this fix.
> 
> Signed-off-by: Joe Korty <joe.korty@ccur.com>
> 
> Index: b/fs/proc/task_mmu.c
> ===================================================================
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -1257,7 +1257,7 @@ static ssize_t pagemap_read(struct file 
>  	if (!pm.buffer)
>  		goto out_task;
>  
> -	mm = mm_access(task, PTRACE_MODE_READ);
> +	mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
>  	ret = PTR_ERR(mm);
>  	if (!mm || IS_ERR(mm))
>  		goto out_free;


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] fix mm_access bug in pagemap_read
       [not found]   ` <20160803185830.GA26952@zipoli.ccur.com>
@ 2016-08-03 20:43     ` Jann Horn
  0 siblings, 0 replies; 2+ messages in thread
From: Jann Horn @ 2016-08-03 20:43 UTC (permalink / raw)
  To: Joe Korty; +Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

On Wed, Aug 03, 2016 at 02:58:30PM -0400, Joe Korty wrote:
> On Tue, Aug 02, 2016 at 05:40:48PM -0400, Jann Horn wrote:
> > On Tue, Aug 02, 2016 at 03:26:53PM -0400, Joe Korty wrote:
> > > Hi Jann,
> > > The following linux-4.1.y git commit, y > 17,
> > > 
> > >     Commit caaee6234d05a58c5b4d05e7bf766131b810a657
> > >     Author: Jann Horn <jann@thejh.net>
> > >     Date:   Wed Jan 20 15:00:04 2016 -0800
> > > 
> > >     ptrace: use fsuid, fsgid, effective creds for fs access checks
> > > 
> > > broke linux-4.1.y with the following oops, repeated forever.
> > 
> > >    [   81.122531] ------------[ cut here ]------------
> > >    [   81.127161] WARNING: CPU: 6 PID: 5553 at kernel/ptrace.c:248 __ptrace_may_access+0x18a/0x1a0()
> > >    [   81.135780] denying ptrace access check without PTRACE_MODE_*CREDS
> > 
> > (Nit: That's just a warning, not an oops - it blocks access, but
> > doesn't kill the calling process. But still not good, of course.)
> > 
> > 
> > > The problem is that the above git commit missed one mm_access call
> > > that needed converting.  In this patch, we convert PTRACE_MODE_READ
> > > to PTRACE_MODE_READ_FSCREDS as that seems more correct for pagemap_read
> > > than PTRACE_MODE_READ_REALCREDS.
> > 
> > Yup, PTRACE_MODE_READ_FSCREDS is appropriate here.
> > 
> > 
> > > There may be stable releases other than linux-4.1.y that need this fix.
> > > 
> > > Signed-off-by: Joe Korty <joe.korty@ccur.com>
> > > 
> > > Index: b/fs/proc/task_mmu.c
> > > ===================================================================
> > > --- a/fs/proc/task_mmu.c
> > > +++ b/fs/proc/task_mmu.c
> > > @@ -1257,7 +1257,7 @@ static ssize_t pagemap_read(struct file 
> > >  	if (!pm.buffer)
> > >  		goto out_task;
> > >  
> > > -	mm = mm_access(task, PTRACE_MODE_READ);
> > > +	mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
> > >  	ret = PTR_ERR(mm);
> > >  	if (!mm || IS_ERR(mm))
> > >  		goto out_free;
> > 
> 
> 
> Hi Jann,
> Greg may need an 'Acked-by' from you before he can apply this fix.

Ah, okay. Sure, you can add:

Acked-by: Jann Horn <jann@thejh.net>

> Greg, I just looked at the longterm and the 4.7 releases and it
> appears that only 4.1 and 3.18 need this fix.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-08-03 21:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20160802192653.GA2953@zipoli.ccur.com>
2016-08-02 21:40 ` [PATCH] fix mm_access bug in pagemap_read Jann Horn
     [not found]   ` <20160803185830.GA26952@zipoli.ccur.com>
2016-08-03 20:43     ` Jann Horn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).