proc: do not access cmdline nor environ from file-backed areas (CVE-2018-1120)
This commit is contained in:
parent
9deec69be4
commit
c2dbc30362
|
@ -258,6 +258,8 @@ linux (4.16.8-1) UNRELEASED; urgency=medium
|
|||
* [rt] certs: Reference certificate for test key used in Debian signing
|
||||
service
|
||||
* mm, oom: fix concurrent munlock and oom reaper unmap (CVE-2018-1000200)
|
||||
* proc: do not access cmdline nor environ from file-backed areas
|
||||
(CVE-2018-1120)
|
||||
|
||||
-- Vagrant Cascadian <vagrant@debian.org> Mon, 30 Apr 2018 11:23:15 -0700
|
||||
|
||||
|
|
106
debian/patches/bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
vendored
Normal file
106
debian/patches/bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
vendored
Normal file
|
@ -0,0 +1,106 @@
|
|||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Fri, 11 May 2018 08:11:44 +0200
|
||||
Subject: proc: do not access cmdline nor environ from file-backed areas
|
||||
Origin: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1120
|
||||
|
||||
proc_pid_cmdline_read() and environ_read() directly access the target
|
||||
process' VM to retrieve the command line and environment. If this
|
||||
process remaps these areas onto a file via mmap(), the requesting
|
||||
process may experience various issues such as extra delays if the
|
||||
underlying device is slow to respond.
|
||||
|
||||
Let's simply refuse to access file-backed areas in these functions.
|
||||
For this we add a new FOLL_ANON gup flag that is passed to all calls
|
||||
to access_remote_vm(). The code already takes care of such failures
|
||||
(including unmapped areas). Accesses via /proc/pid/mem were not
|
||||
changed though.
|
||||
|
||||
This was assigned CVE-2018-1120.
|
||||
|
||||
Note for stable backports: the patch may apply to kernels prior to 4.11
|
||||
but silently miss one location; it must be checked that no call to
|
||||
access_remote_vm() keeps zero as the last argument.
|
||||
|
||||
Reported-by: Qualys Security Advisory <qsa@qualys.com>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Andy Lutomirski <luto@amacapital.net>
|
||||
Cc: Oleg Nesterov <oleg@redhat.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/proc/base.c | 8 ++++----
|
||||
include/linux/mm.h | 1 +
|
||||
mm/gup.c | 3 +++
|
||||
3 files changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/fs/proc/base.c b/fs/proc/base.c
|
||||
index 1b2ede6abcdf..1a76d751cf3c 100644
|
||||
--- a/fs/proc/base.c
|
||||
+++ b/fs/proc/base.c
|
||||
@@ -261,7 +261,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
|
||||
* Inherently racy -- command line shares address space
|
||||
* with code and data.
|
||||
*/
|
||||
- rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);
|
||||
+ rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_ANON);
|
||||
if (rv <= 0)
|
||||
goto out_free_page;
|
||||
|
||||
@@ -279,7 +279,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
|
||||
int nr_read;
|
||||
|
||||
_count = min3(count, len, PAGE_SIZE);
|
||||
- nr_read = access_remote_vm(mm, p, page, _count, 0);
|
||||
+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
|
||||
if (nr_read < 0)
|
||||
rv = nr_read;
|
||||
if (nr_read <= 0)
|
||||
@@ -325,7 +325,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
|
||||
bool final;
|
||||
|
||||
_count = min3(count, len, PAGE_SIZE);
|
||||
- nr_read = access_remote_vm(mm, p, page, _count, 0);
|
||||
+ nr_read = access_remote_vm(mm, p, page, _count, FOLL_ANON);
|
||||
if (nr_read < 0)
|
||||
rv = nr_read;
|
||||
if (nr_read <= 0)
|
||||
@@ -946,7 +946,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
|
||||
max_len = min_t(size_t, PAGE_SIZE, count);
|
||||
this_len = min(max_len, this_len);
|
||||
|
||||
- retval = access_remote_vm(mm, (env_start + src), page, this_len, 0);
|
||||
+ retval = access_remote_vm(mm, (env_start + src), page, this_len, FOLL_ANON);
|
||||
|
||||
if (retval <= 0) {
|
||||
ret = retval;
|
||||
diff --git a/include/linux/mm.h b/include/linux/mm.h
|
||||
index 1ac1f06a4be6..c080af584ddd 100644
|
||||
--- a/include/linux/mm.h
|
||||
+++ b/include/linux/mm.h
|
||||
@@ -2493,6 +2493,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
|
||||
#define FOLL_MLOCK 0x1000 /* lock present pages */
|
||||
#define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */
|
||||
#define FOLL_COW 0x4000 /* internal GUP flag */
|
||||
+#define FOLL_ANON 0x8000 /* don't do file mappings */
|
||||
|
||||
static inline int vm_fault_to_errno(int vm_fault, int foll_flags)
|
||||
{
|
||||
diff --git a/mm/gup.c b/mm/gup.c
|
||||
index 76af4cfeaf68..541904a7c60f 100644
|
||||
--- a/mm/gup.c
|
||||
+++ b/mm/gup.c
|
||||
@@ -544,6 +544,9 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
|
||||
if (vm_flags & (VM_IO | VM_PFNMAP))
|
||||
return -EFAULT;
|
||||
|
||||
+ if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
|
||||
+ return -EFAULT;
|
||||
+
|
||||
if (write) {
|
||||
if (!(vm_flags & VM_WRITE)) {
|
||||
if (!(gup_flags & FOLL_FORCE))
|
||||
--
|
||||
2.17.0
|
||||
|
|
@ -143,6 +143,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
|||
bugfix/all/xfs-enhance-dinode-verifier.patch
|
||||
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
|
||||
bugfix/all/mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap-v.patch
|
||||
bugfix/all/proc-do-not-access-cmdline-nor-environ-from-file-bac.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue